The companies Mediplus Exim S.R.L. with registered office in Mogosoaia, 53rd Aeroportului St., Ilfov, registered at the Trade Register Office under no. J23/741/2007, SIN RO9311280, and DR.MAX S.R.L., with registered office in Mogosoaia, 53rd Aeroportului St., Ilfov, registered at the Trade Register with order number J23/673/2007, SIN RO9378655, as controllers(„the Companies”), hereby inform you on the processing of your personal data in the context of certain operations carried out by the Companies.

The Companies acts as a personal data controller for the purpose of ensuring the security and protection of property and persons on the premises belonging to the Companies, by implementing a video surveillance system at the access points thereto, as well as rules on access to the premises of the Companies, by issuing and granting access cards.

1. Purpose, categories of data and grounds for processing

This information notice relates to your status as employees, customers, visitors to the Companies' premises, including agents, operators, occupants, contractors and/or suppliers or other categories of persons who may have access to the Companies' premises.

The Companies processes the personal data listed in Section 2 below for the following purposes, based on the legal grounds indicated for each purpose:

2. Collection of personal data

The Companies have collected your personal data from the following sources:

    2.1 For video surveillance: the video surveillance system located on the premises of the Companies, which has been mounted in visible places at the access points.

    2.2 For the implementation of the rules on access to the Companies' premises, by issuing and granting access cards: the data is collected directly from the data subject.

3. Recipients of personal data

In order to fulfil the purposes mentioned above, the Companies uses the services of several contractual partners.

Some of them are processors, such as specialized security and protection companies, companies that carry out security activities for objectives, goods or values, in conditions of maximum security of the same, as well as the protection of persons and are active in the protection and security sector and carry out their commercial activity in Romania, Bucharest, and they may be provided with your personal data to be used within the limits of the obligations they assume towards the Companies. The personal data that we disclose to our assignees is limited to the minimum personal information that is necessary for the provision of those services and we ask them not to use personal data for any other purpose.

We make every effort to ensure that all entities we work with store your personal data in a safe and secure manner.

The personal data indicated above may also be made available or transmitted to third parties in the following situations: (i) public authorities, auditors, or institutions with powers to carry out inspections and controls on the Companies' activity and assets and/or which request the Companies to provide information, by virtue of the latter's legal obligations. Such public authorities or institutions may be courts, police; or (ii) to comply with a legal requirement or to protect the rights and assets of our Companies or other entities or persons, such as courts.

In addition, for the purposes of the above processing, we may distribute your personal data to Group companies, that will fully comply with the Companies' instructions regarding the processing of your personal data.

4. Processing time

We will store your personal data only for the period necessary to achieve the above processing purposes, while complying with the legal requirements in force. Should the Companies determine that it has a legitimate interest or legal obligation to further process your personal data for other purposes, you will be duly informed to this effect.

We estimate that the processing activities detailed above will require the storage of personal data for the following periods:

**Except where necessary to protect the legitimate interests of the controller or where there are legal obligations of retention. In such cases, we will act in accordance with the law, including informing you.

5. What happens to your personal data after the processing has ended

Once the processing period indicated above expires and the Companies no longer have legal or legitimate grounds to process your personal data, the data will be deleted in accordance with its procedures, which involves their destruction.

6. Refusal of processing and its consequences

The data processing described in section 1, purposes 1, 2 and 3, is a legal obligation of the Companies, to ensure the security and protection of the establishments where it holds valuables and assets. If you do not wish your data to be processed for this purpose, you will not be able to access the premises of the Companies.

7. Security of data processing

The Companies hereby inform you that we constantly evaluate and update the security measures implemented to ensure safe and secure processing of personal data.

8. Rights of the data subject regarding data processing

In the context of the processing of your personal data, you have the following rights:

1. Right of access to personal data processed: you have the right to obtain confirmation as to whether your personal data are being processed and, if so, to have access to the type of personal data and the conditions under which they are processed, by making a request to the data controller;
2. The right to request rectification or erasure of personal data: You have the possibility to request the rectification of inaccurate personal data, the completion of incomplete data or the erasure of your personal data if (i) the data are no longer necessary for the original purpose (and there is no new lawful purpose), (ii) the legal basis for the processing is the data subject's consent, the data subject withdraws his or her consent and there is no other lawful basis, (iii) the data subject exercises the right to object and the controller has no overriding legitimate grounds for continuing the processing, (iv) the data have been unlawfully processed, (v) erasure is necessary for compliance with EU or Romanian law, or (vi) the data have been collected in connection with information society services offered to children (if applicable), where specific consent requirements apply;
3. Right to request restriction of processing: you have the right to obtain restriction of processing in cases where: (i) you consider that the personal data processed is inaccurate, for a period allowing the controller to verify the accuracy of the personal data; (ii) the processing is unlawful, but you do not want us to erase your personal data but to restrict the use of such data; (iii) if the data controller no longer needs your personal data for the purposes mentioned above, but you need the data to establish, exercise or defend a legal claim; or (iv) you have objected to the processing, for the period of time within which we verify whether the data controller's legitimate grounds outweigh the data subject's rights;
4. The right to withdraw your consent to the processing, where the processing is based on consent, without affecting the lawfulness of the processing carried out up to that moment;
5. The right to object to the processing of data on grounds relating to your particular situation, where the processing is based on legitimate interest, and to object at any time to the processing of data for direct marketing purposes, including profiling.
6. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or otherwise significantly affects them.
7. The right to data portability, meaning the right to receive your personal data that you have provided to the data controller in a structured, commonly used and machine-readable form, and the right to transfer that data to another controller, where the processing is based on your consent or the performance of a contract and is carried out by automated means;
8. The right to lodge a complaint with the Data Protection Authority (ANSPDCP) and the right to apply to the competent courts.

The above rights can be exercised at any time. To exercise these rights, we encourage you to send a written, dated and signed request or an electronic request to the following address: Mogoșoaia, 53rd Aeroportulul St., Ilfov or by e-mail to dpo@drmax.ro

9. Data Protection Officer

You may address any questions regarding this document to the Data Protection Officer, who can be contacted using the following contract details:

E-mail dpo@drmax.ro

Tel: 021.301.74.74

Fax: 021.301.74.75

Address: Mogoșoaia, 53rd Aeroportulul St., Ilfov.

Data: 11.04.2023