GDPR Policy

Privacy Policy (GDPR)

Policy on the processing of personal data of Skinmed Center customers – Shop Online Division

This policy refers to important information. So we encourage you to take the time to read it in full and carefully and to make sure you fully understand it. Do not hesitate to let us know any concerns you may have about it.


What is the scope of this policy

The personal data processing policy, related to the EU General Data Protection Regulation (GDPR) explains how SKINMED CENTER – SHOP ONLINE DIVISION (based in Bucharest, Calea Dudeşti nr. 188, ap. 119, sector 3, J40 / 7446/2014), hereinafter referred to as “The online store” or “we”, as a controller according to the legislation on personal data protection, use your personal data. It provides details on how we process your personal data, the purpose and reasons for which we process it, as well as the people to whom we may transmit it. This policy also discloses your personal data rights. It applies to all your personal data.


What is the personal data we may collect

We collect and process your personal data that includes all information that identifies you or that can be used to identify you. Thus, we collect:

  • Personal details – name; surname; home / residence address; mobile phone number / landline; email address;
  • Payment details – the number of the bank account or bank card / IBAN code; name and surname of the holder of the bank account or bank card (it may be different than you if someone else will make the payment of a purchased product in your name and for you;
  • Opinions about us or the products used and our services – any opinions and visions you convey to us or any opinions and visions that you post publicly about us on social media (social media) or that you make known on other public channels;
  • Communication and other personal preferences – data regarding the services provided by the Clinic and the interaction with us, such as: records of your interactions with us; details of the history of the services provided by us to you.
    We do not collect sensitive personal data as defined by the GDPR.
    We do not collect or process the personal data of minors under the age of 18. The declaration regarding the age of our customers is on our own responsibility.


How we will use your personal data

The processing of your personal data includes the legal ways in which we may record, organize, structure, store, adapt or modify, retrieve, consult, use, disclose by transmission or even make available, restrict, delete or destroy your personal data.

We may process your personal data for the following purposes:

  • Making and managing a valid account on the platform;
  • Processing your order;
  • In order to be able to give you details about the order and/or products;
  • Billing of the order;
  • Shipping the ordered products;
  • Return of products according to the return policy and refund of the value of the products purchased from us;
  • Marketing communications – in order to be able to inform you about general or thematic offers, about products that you have purchased or similar to them, for carrying out the promotion activity to customers / potential customers by email or sms; for this we may use data on what you have purchased or products that you have viewed or mentioned in a wishlist. But the entire process of creating a profile will fully respect your rights and freedoms and the decisions will not affect you to a significant extent;
  • Monitoring your interactions with us – drawing up and archiving the feedback form;
  • Financial management – issuing invoices to you; receiving payments from you, including the registration of payments made by another person on your behalf; elaboration of financial reports, issuance of financial statements;
  • Fulfilling our legal obligations regarding archiving, keeping records and other obligations that the legislation imposes on us;
  • Judicial procedures and governmental investigations – representation before public authorities;
  • Administration and protection of the platform.

If we process your data for purposes other than those declared, we will send you an information note before processing your personal data for those purposes so that, when that processing is subject to your consent, you can express it freely and expressly for each processing operation.


What is our legal basis for processing your personal data

The applicable legal basis according to which we process your personal data for the specific purposes listed above includes the following:

  • Performance of the service contract (art. 6 para. 1 lit. b sentence I of GDPR) – if we resort to processing for the fulfillment of contractual obligations under a contract of which you are a part, you may not be able to challenge this processing or if you choose to opt out of or oppose our processing, it may affect our ability to fulfill a contractual obligation that we owe you;
  • Compliance with applicable laws (Art. 6 para. 1 lit. c gdpr) – in certain circumstances, it may be necessary to process your personal data in order to comply with a relevant law / regulation. If we process your personal data to fulfill our legal obligations, you may not be allowed to object to this processing activity, but you will usually have the right to access or review this information, unless it would impede the performance of our legal obligations;
  • Our legitimate interest (Art. 6 para. 1 lit. f) GDPR) – we may process your personal data based on our legitimate interests to communicate and manage interactions with you in relation to our products and services. In addition to the other rights described below, you have the right to challenge the processing of your personal data. You can object by contacting us using the information in the “How to contact us” section below;
  • Based on your consent (Art. 6 para. 1 lit. a) GDPR) – in some cases, we may ask for your consent to collect and process your personal data. If you choose to give us your consent, you can withdraw it later (or opt for opt-out) by contacting us using the information in the “How to contact us” section below. Please note that if you withdraw your consent, this will not affect any processing of personal data that has already taken place. If we process your personal data on the basis of consent, we will provide you with more detailed information when we obtain your consent.


To whom and when will we disclose or transmit your personal data?

We will transmit or disclose your personal data to the following entities:

  • To third parties that we will contract in order to carry out the services on our behalf to perform activities or functions related to the purposes of processing your personal data described above (market research service providers, IT service providers, payment service providers, courier service providers). We will require that these third parties acting on our behalf protect the privacy and security of your personal data that we transmit to them. These third parties have contractually agreed that they will not use or disclose your personal data for purposes other than those necessary to provide our services, perform services on our behalf, or comply with applicable laws or regulations;
  • Legal proceedings. In the event that misunderstandings arise between you and us that we cannot settle together amicably, we may process your sensitive data (for example, establishing a diagnosis and the procedure applied) for the establishment, exercise or defense of our right in court.


To whom and under what conditions will we transfer your data to a third country?

At this time we do not transfer and do not intend to transfer your personal data or any part of it to other companies, organizations or individuals from third countries or to international organizations.

If it is necessary to transfer your data to any of the above destinations, we will send you a prior information note about it.


How do we protect your personal data?

We use professionally standard administrative, technical and physical safeguards to protect your personal data against loss, theft, misuse, unauthorized access, alteration, disclosure and destruction. Each customer has a protected account with a password. The platform is on a secure server with valid SSL certificates installed. We grant access to your personal data only to those employees and third parties who act on our behalf and who justify a legitimate interest in such access. We will transfer your personal data to third parties acting on our behalf, if we have received written assurances that your personal data will be protected in accordance with our data processing policy.


How long do we keep your personal data?

Your personal data will be stored on the platform as long as you have an account but in accordance with the provisions and conditions imposed by the framework legislation. Thus:

  • The data processed for accounting purposes (those regarding invoicing and payments) will be stored, according to the accounting legislation, for a period of 10 years;
  • The data processed for marketing purposes will be processed for a period of 3 years.


What are your rights?

You have the right to consult and obtain a copy of your personal data, including an electronic copy that we have, as well as to ask us to make changes in the case of inaccurate or incomplete personal data that we have with reference to you. You may also request that we delete your data when it is no longer necessary for the purposes for which you provided it to us, restrict the way we process your personal data for certain limited purposes where it is not possible to delete the data, or object to the processing of your personal data. In certain situations, you may request that your data be ported to a third party of your choice.

Also, in cases where we process your data on the basis of your consent, you have the right to withdraw your consent; you can do this at any time, at least as easily as you initially gave us your consent; the withdrawal of consent will not affect the lawfulness of the processing of your data that we carried out before the withdrawal.

Right to lodge a complaint with the supervisory authority. You have the right to lodge a complaint with the supervisory authority for the processing of personal data regarding the processing of your data by us or on our behalf.

To exercise any of these rights, please contact us as indicated in the “How to contact us” section below.

Your request will be analyzed with the utmost seriousness and you will be sent a response within the legal term of 30 calendar days from the receipt of the request, according to the GDPR provisions.


What happens if we revise this personal data processing policy?

We may amend this policy on the processing of personal data to reflect changes in the legislation, in the internal practices and procedures of personal data processing, in the characteristics of the website or in the technological advances made in the last period of time. These changes can be viewed in the updated policy on the platform.


How can you contact us if you have any questions or concerns?

If you have any comments, suggestions, questions or concerns about any information in this policy or about any other aspects of the processing of your data that we carry out, please do not hesitate to contact us through any of the communication channels below. Our entire team will make every reasonable effort to ensure that we respond to you as quickly and completely as possible.

Our contact details:

Registered office address: Bucharest, sector 3, Calea DUDEŞTI nr. 188, cam.2, Block B, 15th floor, Ap. 119

Office address: Bucharest Alba Iulia Square no. 2, bl. I1, Section 1, sector 3

Email address:


What solutions do you have at your disposal?

For more information about your privacy and data protection rights or if you cannot solve a problem directly with us and would like to make a complaint, please contact the country-specific data protection authority (National Supervisory Authority for Personal Data Processing, based in Bucharest, Bdul General Gheorghe Magheru nr. 28-30, postal code 010336, Romania, Phone: +40 31 805 9211)


What do the terms used in this policy mean?

  • Supervisory authority for the processing of personal data: an independent public authority which, according to the law, has powers related to the supervision of compliance with the legislation on the protection of personal data. In Romania, this supervisory authority for the processing of personal data is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
  • Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious confession, philosophical beliefs or trade union membership, sex life or sexual orientation, criminal conviction data, genetic data, biometric data, health data;
  • Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she accepts, by a statement or by a clear affirmative action, that personal data concerning him or her are processed;
  • Personal data – any information related to an identified or identifiable natural person. That natural person who can be identified directly or indirectly will be considered identifiable, in particular by using an identifier such as, for example, an online identifier; A natural person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier, for example: name, identification number, online identifier, one or more specific elements, specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Thus, for example, the following are included in the notion of personal data: name and surname; home or residence address; email address; phone number. The categories of personal data about you that we process are listed above.
  • Personal data controller – natural or legal person, as well as any public authority, agency or other body that, alone or together with others, determines the purposes and means of processing personal data;
  • Processing of personal data – any operation or set of operations carried out in relation to personal data, with or without the use of automated means such as, for example, collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available in any way, alignment or combination, restriction, erasure or destruction;
  • Empowered person – the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
  • Data subject – the natural person whose personal data are processed by the controller or by the processor.