Privacy Policy

In support of our global business processes, it is essential that the necessary information and data are provided throughout the S.C. AR25 Studio S.R.L. The company’s international operations require it to comply with the various legal requirements in different countries and regions. At the same time, adequate protection must be accorded our business partners and our employees.

The transfer of personal data across national borders is only permissible if such data are properly protected or if the units of the company that process the data can give an adequate guarantee that the privacy of the individuals whose data are transmitted is being protected. This Corporate Directive on Data Protection and Personal Data Privacy, when applied in conjunction with the Directive on IT Security, is designed to ensure that all Group companies meet this requirement. This Corporate Directive has been agreed with the European regulatory authorities.

  1. Introduction

For an innovative global company such as S.C. AR25 Studio S.R.L., the acquisition and meaningful use of information is of immense importance to achieving corporate objectives in all areas of business. Contemporary communication channels such as the Internet, intranets and e-mail play an essential part in accessing and exchanging information. They allow S.C. AR25 Studio S.R.L. to prepare and implement corporate decisions faster and more effectively than in the past.

However, improvements resulting from developments in information technology also entail greater risks, which have to be taken into account by ethical enterprises such as S.C. AR25 Studio S.R.L. For instance, personal rights could be violated by the improper or incorrect use of information technology. In this regard, S.C. AR25 Studio S.R.L. strives to protect the personal rights of any individual whose personal data it processes – including its employees, customers, suppliers and other contractual partners, interested persons, subjects and patients in clinical trials – regardless of the means or methods of collection of such personal data. In this context, S.C. AR25 Studio S.R.L. has issued the following Directive that applies throughout, and is binding upon, the S.C. AR25 Studio S.R.L. and relates to data protection and personal data privacy. This Directive implements one aspect of the Program for Legal Compliance and Corporate Responsibility at S.C. AR25 Studio S.R.L..

  1. Objective

This Corporate Directive has the objective of defining security standards for processing, storing, and transferring personal data within the S.C. AR25 Studio S.R.L. in order to ensure adequate protection of personal rights of the affected data subjects. Complying with the Directive is a requirement for the free exchange of personal data within S.C. AR25 Studio S.R.L..

  1. Scope

This Directive governs all data privacy issues. It applies to the processing of the personal data of any individual whose personal data are processed within the S.C. AR25 Studio S.R.L., including employees, customers, suppliers, other contractual partners, subjects and patients in clinical trials, interested persons and other parties, regardless of the origin of the data. The data protection and data security standards of this Directive are binding upon all S.C. AR25 Studio S.R.L. entities.

Existing legal obligations – both national and international – shall prevail over this Directive in countries where the collection or processing of personal data occurs. Every recipient of data must therefore check whether those regulations apply in his/her field of responsibility and ensure compliance. However, where data privacy requirements under national or international law are less strict than under this Directive, this Directive shall prevail. In certain countries, the data protection authorities require notification from the data controller before any wholly or partially automated processing of personal data is performed. Each S.C. AR25 Studio S.R.L. entity is responsible for complying with any notification obligations in their respective countries. The transfer of personal data to government authorities and agencies is only permissible in accordance with the respective applicable national laws.

Whenever a corporate unit has reason to believe that applicable statutory regulations are preventing it from fulfilling its obligations under mandatory internal company regulations and are significantly detrimental to the guarantees provided for thereunder, it shall notify S.C. AR25 Studio S.R.L. immediately unless prohibited from doing so by a law enforcement agency under national law.

S.C. AR25 Studio S.R.L. shall then make a responsible decision on the matter in consultation with the Corporate Privacy Officer and shall notify the respective national data protection authority accordingly.

  1. General Principles for Processing Personal Data

4.1 Permissibility of Data Processing
The processing of personal data is permitted only if the data subject has consented thereto or if permissible under applicable law at the place of processing. The permissibility of processing personal data is a prerequisite for the transfer of personal data pursuant to Section 5.

Consent shall be declared in writing or by other legally permissible means, whereby the data subject must be informed in advance about the purpose of such processing of personal data and the possible transfer of personal data to third parties. The declaration of consent must be highlighted when included as part of other statements so as to be clear to the data subject.

4.2 Intended Purpose
Personal data may only be collected for specified, explicit and legitimate purposes and may not be further processed contrary to such intended purpose. The purpose of the data transferred by another S.C. AR25 Studio S.R.L. company is to be considered by the recipient when further processing and storing this data. Changes of purpose are only permissible with the consent of the data subject or if permitted by national law in the respective country from which personal data are transferred.

4.3 Data Economy
The processing of personal data must be necessary for the intended purpose. Available possibilities for the anonymization or pseudonymization of personal data should be used at an early stage, as far as this is possible and the cost is appropriate to the intended protective purpose. This applies in particular with regard to the personal data of subjects and patients in clinical trials.

4.4 Data Quality
Personal data must be factually correct and, as far as necessary, up-to-date. Appropriate and reasonable measures should be undertaken to correct or delete incorrect or incomplete data.

4.5 Data Security
The data controller shall implement appropriate technical and organizational measures to ensure the necessary data security. These measures refer in particular to computers (servers and workstations), networks and communication links, and applications; they are embedded in the IT security management system of the S.C. AR25 Studio S.R.L.. The essential measures which have been implemented within the S.C. AR25 Studio S.R.L. to avoid the unauthorized processing of personal data include, among other things, controls of e.g.

In addition, appropriate measures need to be taken to protect such data against deletion by chance, unauthorized deletion or loss. Full particulars are regulated in the IT Security Directive.

4.6 Confidentiality of Data Processing
Only authorized staff, who have undertaken to observe data secrecy requirements, are allowed to be involved in the processing of personal data. It is prohibited for them to use such data for their own private purposes or to make it accessible to any unauthorized entity. Unauthorized in this context also means the use of personal data by employees who do not need access to such data to fulfill their employment duties. The confidentiality obligation survives termination of employment.

4.7 Special Categories of Personal Data
The collection and processing of sensitive data are generally prohibited and allowed only if:

  • the data subject has explicitly declared his/her consent; or
  • the data subject has obviously made public such data; or
  • it is necessary for the protection of a vital interest of the data subject or a third party, and the data subject is not able for physical or legal reasons to declare his/her consent; or
  • it is necessary for the exercise, enforcement or defense of legal claims and it cannot be expected that the justified interests of the data subject not to collect or process personal data prevail; or
  • it is necessary for the performance of scientific research, the scientific interest in performing the research project prevails over the interests of the data subject not to collect or process personal data, and if the purpose of the research cannot be achieved otherwise or only with disproportionately high effort.

Furthermore, pharmaceutical research and development is subject to numerous national and international legal provisions which especially protect the personal rights of the data subject in respect of the processing of sensitive data2. Depending on the category of sensitive data and the risks associated with the intended use, appropriate security and safety measures pursuant to Section 4.5 will be taken (e.g. technical security devices, encryption and limitation of physical access).

  • physical access to data processing systems;
  • logical access to data processing systems,
  • logical access to data processing applications;
  • input of data into data processing systems; and
  • transfer of data by means of data transmission.
  • the data subject has obviously made public such data; or
  • it is necessary for the protection of a vital interest of the data subject or a third party, and the data subject is not able for physical or legal reasons to declare his/her consent; or
  • it is necessary for the exercise, enforcement or defense of legal claims and it cannot be expected that the justified interests of the data subject not to collect or process personal data prevail; or
  • it is necessary for the performance of scientific research, the scientific interest in performing the research project prevails over the interests of the data subject not to collect or process personal data, and if the purpose of the research cannot be achieved otherwise or only with disproportionately high effort.

4.8 Contract Data Processing
If S.C. AR25 Studio S.R.L. or other entities act as the principal or contract data processor within the scope of a contract relating to the processing of personal data, the following shall apply:

  • A contract data processor shall be selected who will guarantee the technical and organizational security measures required for processing personal data and provide sufficient guarantees with respect to the protection of personal rights and the exercise of rights related thereto. The latter is the case at S.C. AR25 Studio S.R.L. entities to which this Directive applies. Otherwise, such guarantees may have to be secured by obligating the contract data processor to observe the general principles of this Directive or by applying the standard contractual clauses provided by the European Union (EU).
  • The processing of personal data by a contract data processor must be regulated in a written agreement in which the rights and duties of the principal and of the contract data processor are specified.
  • The contract data processor is contractually obligated to process personal data only within the scope of the contract and the directions issued by the principal. Personal data may not be processed for any other purpose.The principal remains the data controller of the personal data and the contact partner for data subjects.

4.9 Automated Decisions Affecting Data Subjects
Certain countries provide in their legal provisions restrictions relating to automated decisions that affect data subjects. This applies to decisions which are the result of automated personal data processing having legal consequence for the data subject or a negative effect on him/her. In those exceptional cases in which such automated decisions are rendered by S.C. AR25 Studio S.R.L., the data subjects will be notified about the occurrence of such an automated decision affecting data subjects and shall be given the possibility of commenting on or questioning the decision. In such case the decision must be reviewed again.

  1. Transfer of Personal Data

A transfer of personal data within the European Economic Area (EEA) is generally permitted if processing of the data is also permitted according to Section 4.1.

For transfer of personal data within the country in which data has been collected, compliance with the existing legal requirements of the respective country must be ensured.

5.1 Transfer of Personal Data from the EEA to Third Countries
Based on Section 4.1 of this Directive, the transfer of personal data from an EEA country to a third country is permitted only if:

  • the data subject has explicitly given his/her consent; or
  • the transfer of personal data is necessary for the performance of a contract between the data subject and the data controller or in order to take steps prior to entering into a contract initiated by the data subject; or
  • the transfer of personal data is necessary to complete or to fulfill a contract which was made or is to be made with a third party by the data controller in the interest of the data subject; or
  • the transfer of personal data is either required or prescribed by law for the protection of an important public interest or for the exercise, enforcement or defense of legal claims; or
  • the transfer of personal data is necessary for the protection of a vital interest of the data subject; or the transfer of personal data to a third country which the European Commission has deemed to have an adequate data protection standard4; or
  • the receiving party provides sufficient guarantees within the meaning of this Directive with respect to the protection of personal rights and the exercise of rights related thereto. This is the case for S.C. AR25 Studio S.R.L. entities to which this Directive applies.

If the recipient is not a S.C. AR25 Studio S.R.L. entity, it must be ensured that this Directive applies to the recipient accordingly. S.C. AR25 Studio S.R.L. entity transferring personal data will take appropriate measures in case of violations by the recipient.

5.2 Transfer of Personal Data within a Third Country or to Another Third Country
The further transfer of personal data which have been transferred from the EEA to a recipient within the third country or to another third country is only permitted, subject to Section 4.1, if such third country has an adequate data protection standard or if one of the circumstances described in Section 5.1 of this Directive applies. In any case, the S.C. AR25 Studio S.R.L. entity in the EEA which transferred the personal data shall be informed prior to a further transfer of personal data within the third country or to another third country.

5.3 Provision of Operational Address, Function and Communication Data
For the purpose of internal corporate communication it is permitted to provide operational address, function and communication data including information on cost centers – for instance via intranet or central directories – within the S.C. AR25 Studio S.R.L. to the extent necessary for that purpose. The restricted purpose of the data of all users must be borne in mind.

  1. Rights of the Data Subject

6.1 Information Right
Each data subject has the right to demand information about the type of personal data concerning him/her that is processed by a S.C. AR25 Studio S.R.L. entity. This information will be provided irrespective of the place where the personal data are processed. The data subject may address any such application for information to the local human resources department of the respective S.C. AR25 Studio S.R.L. entity (see also Section 7.3). The specialist departments must provide the necessary support.

6.2 Correction Claim
If the stored personal data are incorrect or incomplete, the data subject may require correction. Data subjects are responsible for providing only correct personal data to the respective S.C. AR25 Studio S.R.L. entity. In addition, data subjects shall inform the respective S.C. AR25 Studio S.R.L. entity of any relevant changes (e.g. changes of address or name).

6.3 Rejection of Request for Information or Correction
If the request for information or correction is rejected, the data subject will be informed about the reason for such rejection.

6.4 Deletion
If the data subject demonstrates that the purpose for which the personal data are processed is no longer permissible, necessary or reasonable under the circumstances, the respective personal data will be deleted, subject to legal provisions to the contrary.

6.5 Right to Object
Each data subject has the right to object if his/her personal data are used for advertising purposes or for the purpose of market or opinion research. If required by national law, the data subject shall be informed about the right to object (opt-out) and about the data controller. In this case, the personal data must be blocked for this purpose. It must also be noted that some countries require consent prior to the processing of personal data for the purposes mentioned above (opt-in). Furthermore, the data subject has a general right to object to the processing of his/her data. This objection must be heeded if an investigation shows that the need for protection of the subject’s interests in light of his/her special personal situation outweighs the interest that the responsible unit would have in processing his/her data. Such objection shall not, however, be heeded if processing of the subject’s data is mandatory under applicable law.

6.6 Questions and Complaints/Remedies
Regarding possible questions, complaints or remedies please refer to Section 7.3.

  1. Procedural Rules

7.1 Implementation within the S.C. AR25 Studio S.R.L.
The Group companies, as data controllers, must ensure compliance with the principles embodied in this Corporate Directive. In this respect, the managerial employees of the S.C. AR25 Studio S.R.L. entities shall ensure that this Directive is implemented, which includes in particular providing information to the employees. Should additional training be required, the Privacy Officer or his/her local representative should be approached. Information shall also include emphasizing that violation of the general principles of this Directive may possibly entail consequences under criminal, liability or labor law.

7.2 Privacy Officer
A Privacy Officer will be appointed by the Board of Management of S.C. AR25 Studio S.R.L. to monitor compliance with this Corporate Directive. If necessary, the Corporate Privacy Officer will be supported by local representatives (Regional Privacy Officers), who are responsible for ensuring data protection in the legal entities and shall also inform the Privacy Officer in case of complaints.

Such local representatives shall follow the instructions of the Corporate Privacy Officer. Where a Regional Privacy Officer also assumes the function of a Legal Entity Privacy Officer, he/she shall cooperate closely with the Corporate Privacy Officer but shall not be bound by the latter’s instructions. In their duties as defined in this Corporate Directive, the Corporate Privacy Officer and his/her local representatives are not bound by instructions from management.

The managerial employees of the S.C. AR25 Studio S.R.L. are obligated to support the Corporate Privacy Officer and his/her local representatives in the exercise of their duties.

If you have any questions please contact the Corporate Privacy Officer: E-mail: contact@adelinarusu.com

Please contact our Privacy Officer to get a list of the local representatives

7.3 Questions and Complaints/Remedies
Data subjects may contact the Privacy Officer or his/her local representatives at any time with any questions and complaints regarding the processing of personal data. Such questions and complaints will be treated confidentially.

If a question or complaint raised by a data subject relates to an alleged violation of this Directive by a S.C. AR25 Studio S.R.L. entity located in a country other than the country in which the data subject resides, the data subject may contact the S.C. AR25 Studio S.R.L. entity which transferred the data. Should the alleged violation be confirmed, the S.C. AR25 Studio S.R.L. entities affected will cooperate with the respective parties (e.g. data protection agencies, other entities) in line with this Directive and remedy such alleged violation.

If the issue raised by a data subject is not remedied, the data subject may file a complaint with the Privacy Officer. The Privacy Officer will inform the data subject about his/her decision and the respective remedies. The procedures described in this Directive apply in addition to any other legal remedies and procedures available to the data subject, including the right of the data subject to submit questions and complaints to the responsible data protection agency.

7.4 Obligation towards Data Protection Agencies
The party receiving personal data transferred from the EEA to a third country and the Corporate Privacy Officer are obligated, upon request, to cooperate with the data protection agency of the country in which the transferring party is located and to respect its findings, provided that these have been rendered following due process of law with respect to the transferring and receiving parties. The transferring party in the EEA also has the right to review the processing of personal data by the receiving party.

7.5 Amendment of the Directive and Continued Application
S.C. AR25 Studio S.R.L. reserves the right to amend this Directive as necessary, for instance to comply with changes to statutes, regulations, requirements of data protection agencies or internal S.C. AR25 Studio S.R.L. procedures. Where required by law, S.C. AR25 Studio S.R.L. will submit any amended version for regulatory review.

Should this Directive become invalid, irrespective of the reasons or causes for such invalidity, all S.C. AR25 Studio S.R.L. entities are bound by this Directive with respect to personal data transferred prior to the date of such invalidity, unless the Directive has been replaced by a new regulation.

7.6 Publicity
The current version of this Directive shall be made available to all data subjects in a suitable manner, e.g. via the Intranet or Internet.

7.7 Relationship to Other Company Regulations
Should other company regulations conflict with this Directive, this Directive shall take precedence.

  1. Definitions

Anonymization is the changing of personal data such that this can no longer be assigned to a certain or ascertainable individual.
Consent is any freely given, informed declaration by the data subject that he/she accepts the processing of his/her personal data. Consent may be subject to particular requirements arising from respective national laws.
Contract data processor is the individual or legal entity that processes personal data on behalf of a data controller.
Data controller is the legally independent S.C. AR25 Studio S.R.L. entity that decides the purposes and means of processing personal data.
Data protection/privacy is the sum of all actions taken to protect the personal rights of data subjects when handling their personal data.
Data subjects are all individuals whose personal data are processed within the S.C. AR25 Studio S.R.L., including current, future and former employees, customers, suppliers and other contractual partners, interested persons, subjects and patients in clinical trials.
Legal Entity Privacy Officer is the person officially named to monitor internal data protection at a legal entity in the S.C. AR25 Studio S.R.L.. He/she reports to the management of that legal entity under local law without being bound by management’s instructions.
Personal data are any information relating to an identified or identifiable individual. An individual is identifiable if he/she can be directly or indirectly identified, e.g. by assigning a reference number.
Processing of personal data is any automated or non-automated operation or set of operations performed in respect of personal data – such as collection, recording, storage, adaptation, alteration, selection, retrieval, use, transmission, blocking, deletion or erasure. This definition will also apply to the word “processed” when used in this context.
Pseudonymization is the replacement of a data subject’s name and other identifiable characteristics with a label for the purpose of preventing identification of the data subject by unauthorized parties or to greatly impede such identification.
Regional Privacy Officer is the person responsible for communicating and monitoring legal and corporate data privacy requirements at regional and operational level.
Safe third country is a country which the EU Commission deems to have an adequate data privacy standard.4

Sensitive data are special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and sexual orientation.
Third country is every country outside the European Economic Area (EEA5).

Third party is every individual or legal entity that cannot be assigned to the data controller, e.g. every external business partner but also any other company in the Group. Third parties are not the data subject himself/herself nor contract data processors within the European Economic Area (EEA).
Transfer of personal data is the forwarding of personal data, its distribution or all other forms of transfer to third parties. This definition also applies analogously to the words “transferred” and “transferring” when used in this context.