Privacy Policy

31.03.2026

1. Who is responsible for your personal data

The personal data controller is ARENA GROUP S.A., a Romanian legal entity, headquartered in Bucharest, Sector 2, Str. Ștefan Mihăileanu no. 31, registered with the National Office of the Trade Register at the Bucharest Tribunal under no. J40/19872/1993, with Tax Identification Code: RO4504418, e-mail: contact@arenagroup.ro

ARENA GROUP S.A. processes your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, hereinafter referred to as “GDPR“) and Law no. 190 of 18 July 2018 on measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

2. Definition of terms used in this Privacy Policy

  • Personal data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Data controller – a natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.
  • Consent – of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Data processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction thereof.
  • Standard Contractual Clauses – means the model transfer clauses adopted by the European Commission or by a Supervisory Authority and approved by the European Commission.
  • EEA – European Economic Area.

3. Categories of personal data we process

We may collect and process, in accordance with this Privacy Policy and applicable legislation, the following categories of personal data (conventional or digital):

  • Identification data: surname, first name, initials, date of birth, personal identification number / identification number, tax identification code, professional credentials (where applicable), driving licence data, work and residence permit number (where applicable).
  • Contact data: postal and billing address, e-mail address (personal and/or professional), telephone number (personal and/or professional), emergency contact details of a close person.
  • Online identifiers and technical data: IP address, browser type, language settings, access times and sessions, as well as other similar data generated as a result of your use of our website and online services (for details, please consult our cookie policy).
  • Professional data: workplace, profession, position, job title, department, field of activity, specialisation, professional or academic degree, qualifications, as well as information regarding the capacity in which you act in our interaction.
  • Content of communications and signatures: the content of our communications (in physical and/or electronic format), your questions, requests, complaints, reports or notifications, as well as your handwritten or electronic signature and, where applicable, audio/video recordings (e.g., calls to the helpline, testimonials).
  • Recruitment and human resources data: the position, department or work location for which you are applying, information regarding your education, professional training and professional experience, as well as other information you choose to include in your CV and/or cover letter, including, where justified by applicable legal provisions, photographs, copies of identity documents or diplomas, criminal record or health data.
  • Contractual data and financial transactions: information necessary for the conclusion and performance of contracts with you (e.g., identification and contact data, personal identification number or tax identification number, details regarding the contractual relationship, documents and evidence related to the performance of the contract), as well as data relating to the purchase or sale of goods (e.g., description of goods, related correspondence and signatures).
  • Product safety, quality and pharmacovigilance data: data processed in connection with adverse event reports or product quality complaints, such as those relating to the reporter or complainant (identification and contact data, qualification/role, content of the report); the person who experienced the adverse event (initials, date of birth, age/age category, sex, pregnancy period, where applicable); description of the adverse event or quality complaint (signs and symptoms, date of onset, outcome/evolution, description of the quality issue); information about the product concerned.
  • Whistleblowing and compliance data: data processed where you are involved in a whistleblowing report (as a whistleblower, reported person, witness or other third party), such as identification and contact data, work and residence permit number (where applicable), information regarding disciplinary measures/actions, as well as the content of the report and related communications.
  • Event and marketing communications data: data processed where you subscribe to our newsletters or participate in events organised by us or in which we participate, namely your identification and contact data, workplace and position, consent-related information, as well as visual and audio recordings (photographs, videos, voice recordings) made during events and which may be distributed through internal and/or external communication channels (e.g., website, social media), in accordance with applicable legislation.
  • Social media content: data processed in connection with our presence on social media, such as username, profile picture and status, as well as reactions, comments, shares and other similar interactions with our content or with the content we interact with, based on our legitimate interests.

As a general rule, we only process personal data that is adequate, relevant and limited to what is necessary, in relation to our activities and the relationship we have with you.

We do not collect special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data or data concerning sex life or sexual orientation (“Special categories of personal data”).

We may process certain health-related data or similar information only in strictly limited situations provided for by law (e.g., in the context of pharmacovigilance, product safety and quality or health and safety requirements at our premises), with the application of appropriate safeguards.

If you do not provide the requested personal data, we may not be able to carry out the activities described in this Privacy Policy or to fulfil our legal and/or contractual obligations.

4. Source of your personal data

We may obtain personal data:

  • directly from you (through forms, e-mail, contracts);
  • automatically through the use of the website (cookies, technical logs – please consult our cookie policy in this regard);
  • or from other legitimate sources (business partners, your employer, public institutions or authorities or public sources, persons reporting adverse reactions experienced by you).

5. Purposes and legal bases for the processing of personal data

ARENA GROUP S.A. processes only the personal data strictly necessary for the purposes listed illustratively below, having a valid legal basis, resulting from the exercise of its authorised economic activity and the need to comply with legal obligations.

Depending on the category of personal data processed, such data may be processed for the following purposes:

  • Management of public and commercial relations, communication with partners and clients, marketing, promotion and business development.
  • Registration, manufacture, import, export and distribution of products.
  • Management of product quality and pharmacovigilance systems.
  • Ensuring high standards of health and product quality and safety.
  • Recruitment and management of human resources, occupational health and safety, as well as emergency situations.
  • Management and performance of commercial contracts and other types of contracts.
  • Management of financial and accounting processes, financial resources and legal reporting.
  • Management of complaints and litigation.
  • Administration and operation of the website, management of IT resources and information security.
  • Analysis of website usage, improvement of user experience and website usage statistics.
  • Organisation and support for events.
  • Physical security and protection of persons, protection of our assets and the assets of our clients and suppliers and protection of operational activities.

The legal bases for the processing of personal data are the following:

  • Art. 6(1)(a) GDPR – consent
    Processing based on your freely given, informed and unambiguous consent, for one or more specific purposes.
  • Art. 6(1)(b) GDPR – contract
    Processing necessary for the performance of a contract or for steps prior to entering into a contract.
  • Art. 6(1)(c) GDPR – legal obligation
    Processing necessary for compliance with a legal obligation to which the controller is subject.
  • Art. 6(1)(e) GDPR – public interest / official authority
    Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Art. 6(1)(f) GDPR – legitimate interests
    Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

6. Storage period

Your personal data is retained only for the period necessary to fulfil the purposes for which it was collected or to comply with applicable legal obligations, in accordance with this Privacy Policy.

7. Data processors and recipients of personal data

Data processors:

Data may be processed by suppliers acting on our behalf, such as: IT and cloud service providers, security providers, human resources and recruitment service providers, payroll, accounting and administrative service providers, occupational health and safety providers, pharmacovigilance and regulatory support service providers, legal service providers, marketing service providers, communication and event organisation providers, archiving service providers, marketing and communication or pharmacovigilance service providers, CRM and newsletter platform providers.

Recipients:

By virtue of our legal obligations, your personal data may be disclosed to authorised third parties entitled to obtain such data, including:

  • The National Supervisory Authority for Personal Data Processing
  • The National Cyber Security Directorate
  • Judicial authorities in Romania (courts, prosecutors’ offices, police)
  • The National Agency for Fiscal Administration
  • The Ministry of Finance
  • The National Agency for Medicines and Medical Devices
  • The Ministry of Health
  • The Territorial Labour Inspectorate
  • Occupational medicine service providers
  • Postal service operators
  • Insurance and claims management companies
  • Other competent public authorities (central or local).

8. Transfers of your personal data outside the EU/EEA and to international organisations

In general, we process your personal data in Romania and in other EU/EEA countries, where the same data protection rules apply, in accordance with the GDPR.

In certain exceptional situations, we transfer such data to countries outside the EU/EEA or to international organisations, only if the recipient ensures an adequate level of protection and if your rights can be effectively exercised in the respective country.

We will transfer your personal data outside the EU/EEA only if at least one of the following conditions is met:

  • The European Commission has adopted an adequacy decision for the respective country or organisation; or
  • Standard Contractual Clauses adopted by the European Commission have been implemented.

When we transfer your personal data to recipients in countries that are not subject to an adequacy decision, we generally rely on the European Commission’s Standard Contractual Clauses, as well as, where necessary, additional technical and organisational measures.

9. Security of your personal data

ARENA GROUP S.A. applies appropriate technical and organisational measures to ensure security and confidentiality, including protecting data against unauthorised or unlawful access, accidental or unlawful loss or destruction.

We apply internal data protection policies, procedures and training programmes and regularly review and update these measures.

As the internet is an open system, the transmission of information over the internet cannot be completely secure; therefore, any personal data you transmit to us online is done at your own risk, which is why you should ensure that such data is transmitted to us securely.

We also take reasonable measures to ensure the accuracy of the personal data we process and, where necessary, to update it, and we ensure that inaccurate or incomplete personal data is erased or rectified without undue delay.

Periodically, we may ask you to confirm the accuracy of your personal data, and you may contact us at any time to request the rectification, completion or erasure of your personal data.

10. Your rights regarding personal data

You have the following rights in connection with the processing of your personal data, unless otherwise provided by law:

  • Right of access – the right to obtain confirmation from us as to whether or not personal data concerning you is being processed, as well as access to such data and information about the processing;
  • Right to rectification – the right to have, without undue delay, the rectification of inaccurate personal data and/or the completion of incomplete personal data;
  • Right to erasure / right to be forgotten – the right to obtain from us the erasure of personal data without undue delay, where:
    • the data is no longer necessary for the purpose for which it was collected;
    • consent is withdrawn and there is no other legal basis for processing;
    • you object to the processing and there are no overriding legitimate grounds;
    • the data has been unlawfully processed;
    • the data must be erased to comply with a legal obligation.
    This right does not apply where processing is necessary for:
    • the exercise of the right to freedom of expression and information;
    • compliance with a legal obligation;
    • the performance of a task in the public interest;
    • reasons of public interest in the area of public health;
    • archiving or research purposes;
    • the establishment, exercise or defence of legal claims.
  • Right to restriction of processing, where:
    • you contest the accuracy of the data;
    • the processing is unlawful and you request restriction;
    • we no longer need the data but it is required for the defence of a right;
    • you have objected to the processing.
  • Right to data portability – the right to receive the data you have provided in a structured format and to transmit it to another controller, where the processing is based on consent or a contract and is carried out by automated means.
  • Right to object – the right to object at any time to processing based on public interest or legitimate interests.
  • Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects the data subject.
  • Right to withdraw consent, where processing is based on consent.
  • Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

11. How you can exercise your rights and how to contact us

Any request to exercise your rights must be made in writing, dated and signed, and may be sent to the company, as data controller, by post or by e-mail to the following addresses (contact details):

  • Postal address: Str. Ștefan Mihăileanu no. 31, Sector 2, Bucharest, postal code 24022
  • E-mail: contact@arenagroup.ro

We respond to your requests within a maximum of one month from receipt of the request, except in situations where we have a very large number of requests, in which case the response period may be extended to two months.

You also have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP), headquartered at: B-dul G-ral Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Telephone: 031.805.92.11; E-mail: anspdcp@dataprotection.ro.

12. Direct marketing

You may unsubscribe at any time from the mailing list and marketing communications by using the unsubscribe option or by contacting us directly.

13. Privacy policy for minors

The website is intended for an adult audience.

We do not intentionally collect data from persons we know to be under the age of 16 without the prior consent of their legal representative.

Such a legal representative has the right, upon request, to view the information provided by persons under 16 and/or to exercise the rights detailed in this document.

14. Revisions to this Privacy Policy

This Privacy Policy may be updated periodically to reflect legislative or operational changes.

We recommend that you periodically consult the Privacy Policy to stay informed about how we process your personal data.