The protection of your personal data is very important for SC COSMO PHARM SRL (hereinafter referred to as “Cosmo Pharm” or the “Operator”), Romanian legal entity, with headquarters in Bucharest Ring Road, 24-26 1, Tunari, Ilfov, Romania, J40/15215/1994, RO6058303. We want you to be properly informed about how and for what purposes Cosmos Pharm processes your personal data.


The purpose of this Personal Data Processing Security Policy (hereinafter referred to as the “Security Policy”) is to establish the appropriate technical and organizational measures and the responsibilities of Cosmo Pharm employees with personal data processing duties and/or, as the case may be , of the persons authorized by Cosmo Pharm, to fulfill the obligations related to guaranteeing and protecting the fundamental rights and freedoms of natural persons, especially the right to intimate, family and private life, regarding the processing of personal data.


If you notice any errors in the provision of personal data concerning you, please inform us as soon as possible, using any of the means indicated in section 7 of this Security Policy.


1. Principles of personal data processing


1.1. Personal data is processed by Cosmo Pharm in good faith and in accordance with the legal provisions in force.


1.2. Personal data is collected by Cosmo Pharm for well-defined, explicit and legitimate purposes, and further processing will not be incompatible with these purposes.


1.3. Personal data are adequate, relevant and not excessive in relation to the purpose for which they are collected and subsequently processed.


1.4. Personal data is not stored by Cosmo Pharm for a longer period than is necessary to achieve the purposes for which it was collected.


1.5. Cosmo Pharm has taken appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of unlawful processing, as well as regarding the deletion or rectification of inaccurate or incomplete data from from the point of view of the purpose for which they are collected and for which they will be subsequently processed.


2. Categories of data and purpose of use of personal data


The personal data referred to in this Security Policy include identification elements such as name and surname, name and surname of legal representatives, gender, date and place of birth, age, citizenship, telephone/fax number, home address/residence , e-mail address, personal numerical code, ID/passport series and number, job, profession, professional training – diplomas – studies, bank data or other such, which serve to identify you or the persons who represent you times you represent.

Cosmo Pharm will collect, use, process and provide the personal data provided by you for purposes such as advertising, marketing and publicity, the organization of courses, seminars, other events (including delegations, conferences and fairs), for educational purposes for the organization of professional training programs , for the issuance of any financial-accounting documents, the conclusion of contracts or other documents necessary in the activity of Cosmo Pharm.

Personal data is intended for use by Cosmo Pharm and is collected through persons designated for this purpose. Part of this data can be communicated to contractual partners of Cosmo Pharm.

The collection and processing of personal data of minors by Cosmo Pharm will only be done with the explicit consent of parents or other legal representatives.



3. General rules


3.1. This Security Policy establishes technical and organizational measures implemented by Cosmo Pharm, to fulfill the obligations regarding the confidentiality and security of the processing carried out within its activity. Minimum security requirements mean a set of technical, IT, organizational, logistical and procedural measures that ensure a level of processing security in accordance with national legislation, as well as with the requirements of the European Regulation on the Protection of Personal Data GDPR 679 /2016.


3.2. Cosmo Pharm has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of unlawful processing. In this sense, a person responsible for complying with the provisions of Law no. 190/2018 and GDPR 679/2016.


3.3. In order to fulfill the related legal provisions and in order to meet the requirements of keeping data and information safe, Cosmo Pharm has developed and implemented organizational and technical measures oriented towards certain directions of action:

– User identification and authentication;

– Type of access;

– Data collection;

– Execution of safety copies;

– Computers and access terminals;

– Access files;

– Staff training;

– Telecommunications systems;

– Using computers;

– Data printing.


4. Specific procedures


4.1. User identification and authentication

The user means any person acting under the authority of Cosmo Pharm or the person authorized by Cosmo Pharm, with a recognized right of access to personal databases.

To gain access to personal data, users must identify themselves.

In the case of automated processing, identification is carried out by authentication in Cosmo Pharm’s IT systems. Authentication is done by entering unique authentication data, consisting of user account and password.

Passwords are strings of characters, security-appropriate in length and composition, according to Cosmo Pharm’s IT security policy. When entering passwords, the typed characters are not displayed clearly on the monitor. According to Cosmo Pharm’s IT Security Policy, passwords must be changed periodically.

The operator has implemented an IT system that automatically denies a user access after a number of wrong password entries.

Any user who receives access to the personal database is informed that they must keep the authentication data confidential and answer in this regard to the operator.

Cosmo Pharm has established a procedure for the administration and management of user accounts, provided for in Cosmo Pharm’s IT Security Policy. In accordance with its provisions, clear rules are established for granting or canceling the rights and methods of access to the user account.

User access to the personal databases managed in the manual system is done only on the basis of a list approved by the management of Cosmo Pharm.


4.2. Access type

Users can only access the personal data necessary to fulfill the duties assigned by Cosmo Pharm. For this, the types of access according to functionality (administration, input, processing, saving, etc.) and according to actions applied to personal data (writing, reading, deleting), as well as the procedures regarding these types of access, are stable.

The programmers of the personal data processing systems have access to the personal data based on a strict confidentiality agreement signed with Cosmo Pharm, exclusively in cases where this is necessary, each operation being documented.

The department providing technical support may have access to personal data to resolve incidents and problems arising in the use of IT systems.

The computers and servers containing the databases of personal information are located in rooms with controlled access. Documents containing personal data of the type considered special categories of data are kept in rooms with restricted access.

The operator has established strict methods by which personal data will be destroyed.


4.3. Data collection

Cosmo Pharm designates authorized users for the operations of collecting, entering and processing personal data in a computerized or manual system.

Any modification of personal data can only be done by authorized users designated by the operator.

The operator has taken steps for the information system to record who made the change, the date and time of the change. For better administration, the operator has implemented measures for the information system to maintain deleted or modified data.


4.4. Execution of safety copies

The computer system performs a daily, automatic back-up of the databases, for a possible data recovery, in case of loss, destruction or dysfunction of the computer systems.

Cosmo Pharm establishes the time interval at which backup copies of personal databases, as well as programs used for automated processing, will be executed. The users who run these backups are appointed by the operator, in a limited number. Backups are stored in a safe box with restricted access, located in a different room from the one where the backup is performed.


4.5. Computers and access terminals

Computers and other access terminals are installed in lockable access-controlled rooms. If computers are open and not acted upon for a given period, set by the operator, the work session is automatically closed.

Users are trained so that databases with personal information are closed, in cases where they are open, if unauthorized persons are around.

The servers hosting the databases can only be accessed in a controlled manner based on access rights.


4.6. Access files

Cosmo Pharm takes measures to ensure that any access to the personal database is recorded in an access file (called a log for automatic processing) or in a register for manual processing of personal data, established by the operator.

The information recorded in the access file or registry will be:

– identification code (user name);

– the name of the accessed file;

– the number of registrations made;

– type of access;

– the code of the operation performed or the program used;

– access date (year, month, day);

– time (hour, minute, second).

For automatic processing, this information will be stored in a general access file or in separate files for each user.

The operator is obliged to keep access files for at least 2 years, to be used as evidence in case of investigations. If the investigations are prolonged, these files will be retained until the investigations and any actions related to them are completed.

The access files must make it possible for the operator or the authorized person to identify the persons who have accessed personal data without a specific reason, in order to apply sanctions or notify the competent bodies.


4.7. Telecommunications systems

Cosmo Pharm, through authorized users, periodically checks authentication and access types to detect malfunctions in the use of telecommunications systems. Only strictly necessary personal data will be transmitted through telecommunications systems.


4.8. Staff training

Users who have access to personal databases are instructed on the provisions of Law no. 190/2018, to the minimum security requirements for the processing of personal data provided by Order no. 52/2002 and GDPR Regulation 679/2016, regarding the provisions of Cosmo Pharm’s IT security policy, as well as regarding the importance of maintaining their confidentiality and the risks involved in the processing of personal data.

Users who have access to personal data will be warned by messages that will appear on the monitors during the activity. Users are required to close their work session when they leave their workplace.


4.9. Use of computers

To maintain the security of personal data processing (especially against computer viruses) Cosmo Pharm has taken the following measures:

– prohibited the use by users of software programs that come from unsafe sources;

– users do not have administrator rights on computers, therefore they cannot install software programs without notifying the department that provides technical support;

– licensed software is used;

– users have been trained on Cosmo Pharm’s IT Security Policy and other general IT operating policies, including the danger posed by computer viruses;

– computers are protected with antivirus programs;

– the user’s activity is monitored and his access to printers is restricted


4.10. Data printing

Printing of personal data will only be done by designated users and only for the purpose specified in these rules.



5. The rights of the persons whose personal data are collected and/or processed


According to Law no. 190/2018 and GDPR Regulation 679/2016, you have the following rights regarding the processing of your personal data:

5.1. The right to information

You have the right to obtain from Cosmo Pharm at least the following information, unless you already have that information:

a) the identity of the operator and his representative, if applicable;

b) the purpose for which the data is processed;

c) additional information, such as: recipients or categories of data recipients; whether the provision of all requested data is mandatory and the consequences of refusing to provide them; the existence of the rights provided by this law for the data subject, in particular the right of access, intervention on the data and opposition, as well as the conditions under which they can be exercised;

d) any other information the provision of which is required by the supervisory authority, taking into account the specifics of the processing.


5.2. Right of access to data

You also have the right to obtain from Cosmo Pharm, upon request and free of charge for one request per year, confirmation that the data concerning you is or is not being processed by Cosmo Pharm.


5.3. The right to access data

At the same time, you have the right to obtain from the operator, upon request and free of charge, the rectification, updating, blocking or deletion of data whose processing is not in accordance with the law, especially incomplete or inaccurate data.


5.4. The right of opposition

In addition, you have the right to object at any time to the processing of your personal data by Cosmo Pharm, according to GDPR Regulation 679/2016.


5.5. The right not to be subject to an individual decision

According to Law no. 190/2018 and with the provisions of GDPR Regulation 679/2016, you have the right to request and obtain the withdrawal/cancellation/reevaluation of any decision that produces legal effects regarding you, adopted exclusively on the basis of personal data processing, carried out by automatic means, intended to evaluate some aspects of your personality, such as professional competence, credibility, behavior or other such aspects.


5.6. The right to seek justice

In accordance with Law no. 190/2018 and with the provisions of GDPR Regulation 679/2016, you have the right to go to court to defend any rights guaranteed by law, which have been violated.

To exercise these rights, you can apply with a written, dated and signed request, sent using the contact details indicated in section 7 of this Security Policy.



6. Disclosure of personal data to third parties


Collected data is disclosed to third parties only if Cosmo Pharm is subject to a legal obligation to do so. Any disclosure to third parties under other conditions of personal data will be made only with your express consent, expressed in advance.



7. Contact


For requests or questions regarding this policy please contact:

Bucharest ring road, 24-26 1, Tunari, Ilfov, Romania
Phone: 021.320.02.88

Fax: 021.323.00.46


8. Final provisions


This document is completed with the entire set of security procedures regarding the processing of personal data approved by Cosmo Pharm’s management, including Cosmo Pharm’s IT Security Policy.