Privacy Policy

I. General information

The pages on the platform (“the platform”) are published and operated by Medicover Integrated Clinical Services Romania S.R.L a limited liability company registered under the laws of Romania under no. J23/1113/2012, trading under the registered trade name “Medicover Integrated Clinical Services” (herewith ‘’MICS”) as a Data Processor, having its place of business at 25 Industriilor Street, Chiajna, Ilfov, Romania, 077040, on behalf of Sandoz AG as a Data Controller, having its registered office at Centralbahnstrasse 4, CH-4051 Basel, Switzerland (herewith “Sandoz” or “we”). Sandoz may exercise this responsibility alone or jointly with other company(-ies) in the Sandoz Group, acting as “co-controller(s)”.

Depending on the relationship between you / your organization and us, Sandoz is either a data controller or a data processor responsible for personal data processed in the platform (where Sandoz entered into data processing agreement with your organization) on behalf of your organization. If you provide personal data to us about any person other than yourself (e.g. patients), you must ensure that they understand how their personal data will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to process it.

We respect your right to privacy and will process personal information you provide only in accordance with the General Data Protection Regulation (EU) 2016/679 hereinafter (“GDPR” or “General Data Protection Regulation”) and other applicable privacy laws. This Privacy Policy is informing you about the processing activities on this platform.

The terms used in this Privacy Policy have the meaning of the definitions mentioned in the General Data Protection Regulation.

II. The information collected and how it is used

We will not collect any information about individuals, except where it is specifically and knowingly provided by them.

Details of cookies that are used on the platform can be found in the Cookie Policy.

II.1. The personal data categories processed

The following personal data may be processed through this platform:

  • When using the details to contact us, we may process your e-mail address, phone number, postal address, depending on how you decide to contact us. We also may process any other personal information you disclose to us when contacting us.

  • When accessing the register button, we may process your registration information in order to create an account onto the platform: work email address, phone number, postal address, first name, last name, institute name, position of the HCP;

  • When accessing the login button, we may process your credentials to log into the platform: email address;

  • When registering a biological sample, we will process the information necessary to allow the registration for JCV testing of blood and CSF (Cerebrospinal fluid) samples in the Program, such as: first name, last name, date of birth, type of biological sample, results of laboratory testing, sample barcode, unique platform identification number and hospital patient identifier;

  • When using the platform, we may collect and process certain profession related personal data, such as: your name, surname, e-mail address, phone number, postal address, e-mail address, place of work.

  • When asking for feedback regarding the use of the platform: name and surname, HCP email address, phone number any other personal information that you may add while giving feedback;

  • When based on the feedback received, we decide to contact you in order to better understand the feedback: email address, phone number, name and surname, HCP, any other personal information that you may add during this feedback follow-up.

  • For security reasons and for activating the 2 Factor Authentication system we need to collect mobile phone number from (HCP super users and HCP standard users). Due to the fact that for providing this security measure we will render the services for an Application Programming Interface (API) provider, additional personal data can be processed by said provider and the sub-processors used by that provider in order to provide such services, such as but not limited to: device identification number. Details about the provider rendered can be found in Chapter II.3 – Third Party use of information.

II.2. Lawful basis and purposes of processing

The purposes and scope to which we may process the above-mentioned personal data and the lawful basis to process the information:

  • When contacting us, we may process data subject’s personal data based on our legitimate interest in receiving and answer the request when contacting us. The personal data collected is strictly the data that the data subject will disclose to us when using our contact details and it will be used in order to answer the request.

  • In order to use the platform, it may be necessary to create a user account by registering beforehand. When accessing the register or login button, your personal data is processed strictly in the scope of accessing and using the platform and to fullfil our obligation under the execution of contract between the parties in the Program, such as: healthcare services provider and the platform. The legal basis for processing your personal data is fulfilment of obligations under the agreement with you.

  • When contacting us, we will process the data subject personal data based on the legitimate interest to solve the request received. Therefore, if a data subject does not want its personal data to be processed by us, the data subject needs to refrain from sending such personal data.

  • When using our platform there are certain information as mentioned above, processed by us for security reasons. We have a legal obligation to ensure the security of the platform and of the personal data processed through the platform, even though Sandoz does not have direct access to the data processed and those personal data are being processed by Data Processor on behalf of Sandoz.

  • When asking for feedback regarding the use of the platform or any other aspects of the Program, it will process the personal data based on the legitimate interest to understand the feedback better;

  • When based on the feedback received, we need more information or clarification to understand the issue at hand, we will further process the personal data based on legitimate interest to contact you in order to understand the feedback better and solve any urgent matters. After the problem mentioned through feedback is resolved, you will be getting a closure email regarding the issue based on the same lawful basis mentioned above (legitimate interest).

  • When registering a patient, you will be requested to fill in certain boxes with the minimum set of information needed on our side with the purpose of performance of the laboratory test results as part of the Program.

  • When using the 2FA, a mobile phone number is required in order for the security code to be sent via sms. The purpose for processing this particular personal data is to increase security of the platform by preventing fraudulent login. The legal basis for processing your personal data is our legitimate interest to keep the platform secure.

  • After anonymizing the personal data received through the platform, the data will be used for statistical and scientific research purposes.

II.3. Third-party use of information

The personal data collected through the platform can be disclosed to:

  • Data subject and its legal representatives;
  • Representatives of MICS, only on a need-to-know basis and in accordance with documented instructions from Sandoz;
  • MICS’s sub-Processors from a variety of domains: software as a service provider, data center providers, helpdesk provider, IT service providers, including IT security, laboratories;
  • Other contractual partners of Sandoz involved in carrying out activities, such as: legal consultants, fiscal consultants, professional organizations;
  • Judicial and public authorities, international organizations if required by applicable law.

Except as described above, your personal data will not be disclosed, sold, or otherwise transferred to any third party.

Sandoz will not receive any personal data or other information processed by its Data Processor in relation to JCV testing of biological samples. Sandoz may however receive from Data Processor anonymous statistical data and reports.

Finally, we may also collect anonymized details about visitors to the platform for the purposes of aggregate statistics or reporting purposes. However, no single individual will be identifiable from the anonymized details collected for these purposes.

II. The period of personal data processing

Your personal data will be processed for the time necessary to achieve the purposes of processing and subsequently in accordance with any applicable internal policies, as well as to comply with applicable legal obligations, including, but not limited to, the provisions regarding the archiving obligation, securing the personal data.

It is possible that, following the fulfillment of the legal archiving deadline, we may order the anonymization of the data, thus depriving them of personal character and to continue the processing of the anonymous data for statistical purposes.

III. Security

We have implemented appropriate technical and organizational measures designed to provide an adequate level of security and confidentiality for your personal data. The purpose of these measures is to protect personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

These measures take into account the state of the art of the technology, the costs of its implementation, the nature of the data and the risk of the processing.

IV. Transfer of personal data

We may transfer personal data that is collected from you to data processors located in countries that are outside of the European Economic Area (EEA) in connection with the above purposes. In such a case we will transfer personal data only to the countries outside the EEA that have a level of data protection comparable to the data protection law of the European Union, as determined by a competent data protection authority.

Where your organization, in its role as data controller, is located outside of EEA, United Kingdom, and Switzerland, we have entered into Data processing agreement and Standard Contractual Clauses with it to ensure relevant transfer mechanism for transfers of personal data outside the EEA, United Kingdom, and Switzerland.

In case you have further questions regarding international transfer, please contact as using the contact details mentioned in the Section V of this document.

V. Your rights

According to GDPR you have the following rights:

  • 1. The right to information – the right to receive a minimum content of information regarding the processing activities performed by the Data Controller, in accordance with the legal requirements;

  • 2. The right of access by the data subject – the right to obtain, upon request and under the conditions established by law, confirmation that the data concerning him/her are or are not processed and details on processing activities;

  • 3. The right to rectification – the right to obtain the rectification of inaccurate personal data concerning the data subject, respectively to obtain the completion of personal data are incomplete, including by providing an additional statement;

  • 4. The right to the deletion of data (”the right to be forgotten”) – the right to obtain the deletion of personal data concerning the data subject, without undue delay, in cases provided by law;

  • 5. The right to restriction of processing – the right to obtain the restriction of the processing, in so far as the conditions provided by law are met;

  • 6. The right to data portability, namely (i) the right to receive personal data in a structured, commonly used, and easy to read format, and (ii) the right to have such data transmitted by to another Data Controller, provided that the conditions by law are met;

  • 7. The right to object – the right to object at any time, for well-founded and legitimate reasons related to his situation; Regarding direct marketing activities, data subjects have the right to object to such processing at any time;

  • 8. The right not to be subject to an automatic individual decision – the right not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects which concern or affect it in a similar way to a significant extent;

  • 9. The right to withdraw consent when there is processing based on it; Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal.

If you wish to exercise any of the above rights, under the conditions and within the limits set forth in the law, please click here or write to sandoz_global.dpo@sandoz.com.

If you have a question or you are not satisfied with how we process your personal information, you may address your request to our data protection officer at sandoz_global.dpo@sandoz.com.

In any case, in addition to the above rights, you also have the right to file a complaint with the competent data protection authority.

VI. Third-party sites

Please note that this privacy policy applies only to the personal information that is collected through the Program mentioned above.

Last updated on 2025 Jan 20