Information note on the processing of personal data (GDPR)

by Tache Alina-Cătălina – Cabinet Individual de Psihologie

1. Details of this information note

Tache Alina-Cătălina – Cabinet Individual de Psihologie is the complete registered name for the psychotherapy private practice led by me, Alina Tache. I am a psychologist-psychotherapist accredited by the Romanian College of Psychologists (stamp code: 16438), and the private practice represents the legal entity through which I carry out my professional activity.

In this information note I explain to you how your personal data is processed by me, as a representative of the private practice, and in which I ensure that your personal data is processed responsibly and in accordance with the applicable personal data protection legislation.

I take your data very seriously. It is a priority for me to be in compliance with personal data protection legislation and ethical practices in the field, as well as ensuring a climate of transparency, security and trust for my clients.

This information note contains important details. Therefore, I encourage you to take the time to read it in its entirety, carefully, and make sure that you fully understand it. Feel free to contact me to clarify any questions you may have. I want to make it clear to you how personal information is used.

2. Who represents the private practice

For the purposes of this information note, Tache Alina-Cătălina – Cabinet Individual de Psihologie is a personal data controller. Here is my complete identity and contact information:


Fiscal registration code: 43439400

Representative: Tache Alina-Cătălina

Headquarters address and correspondence address: str. Veteranilor, nr. 25, bl. D1b, et. P, ap. 3, sector 6, Bucharest. Postal code 060924

Phone number: +40725964808

E-mail: alina.c.tache@gmail.com

If you have any comments, suggestions, questions or concerns regarding any information in this note or any other data processing that I may perform, please do not hesitate to contact me. Depending on your preferences, you can contact me through any of the above communication channels.

3. What data do you process?

The personal data about you that we will process are data obtained directly from you or resulting from the provision of services by me. These include the following categories of data:

  • Personal details, such as: name, surname, gender, date of birth / age, citizenship, personal numerical code (CNP), other information in your identity card.
  • Contact details, such as: home or residence address, telephone number, e-mail address.
  • Payment details, such as: billing address, bank account or bank card number, IBAN code, first and last name of the bank account or bank card holder (may be different from you if someone else paid an invoice in your name and for you), the date from which the bank card is valid, the expiration date of the bank card.
  • Professional details, such as: employer, position.
  • Opinions, visions and information about life history (may include sensitive data), such as: any opinions and visions you pass on to me, your life story, experiences you have had and consider significant, medical history, relationship history and so on.
  • Data on services and interaction with me, such as: records of interactions with me, details on the history of psychological services.

As shown in the list above, you may be able to provide me with information about other people – for example, the history of your relationship with a family member. When they relate to already identified persons or persons which could be identified, I will treat that information as personal data of those persons and provide them with the necessary protection. However, I will strictly abide by my obligation of professional secrecy to you and will not inform said persons of any such processing.

4. The source from which I receive your data

The source from which I receive the above information is you. Or, if the beneficiary of the psychological services is underage, some of the information comes from the parent / legal guardian, and the rest comes from the underage person. The scenarios by which you provide me with this data may be (but are not limited to):

  • Signing a service contract;
  • Telephone conversations;
  • Conversations through written messages (SMS, WhatsApp, e-mail, skype, etc.);
  • Discussions during sessions;
  • Paying for held sessions.

5. Purposes for which I process your data

The purposes for which I process your personal data (other than sensitive data):

  • To be able to conclude or perform a contract with you, at your request. A number of personal details are required to conclude the contract. Similarly, to perform it, i.e. to effectively provide psychological services and collect money for these services.
  • To be able to fulfill my legal obligations, such as archiving or communicating with public authorities.
  • In the case of marketing communications, personal data are processed on the basis of consent for this specific purpose. For example, to subscribe to the newsletter I will ask you to sign a form or tick a box (for electronic subscription), clearly stating the reason why I am asking you to do this.

The purpose for which I process your sensitive personal data: to be able to carry out the activity of psychotherapy, in which certain sensitive information may be relevant (for example, medical history or relationship history). This information (and my obligation to keep it confidential) is legally protected by several documents:

  • The General Data Protection Regulation (EU) 2016/679, on the protection of individuals with regard to the processing of personal data;
  • Law 213/2004 of the Romanian Parliament, on the exercise of the profession of psychologist with the right of free practice;
  • The code of ethics of the profession of psychologist with the right of free practice, as stated by the Romanian College of Psychologists.

6. To whom and under what conditions will I disclose your data

In order to be able to carry out the activity, the private practice may use the services of several contractual partners. These partners have the quality of authorized persons, such as accounting service providers. The personal data we disclose to authorized persons is limited to the minimum personal information that is necessary for the provision of those services and requires them not to use personal data for any other purpose. I make every effort to ensure that all entities I work with store your personal data safely and securely. The personal data indicated above may be made available or transmitted to third parties in the following situations:

  1. Public authorities, auditors or institutions competent to carry out inspections and controls on the activity and assets of the private practice, which request the practice to provide information, in accordance with the legal obligations of the latter. These public authorities or institutions may be the National Authority for The Supervision of Personal Data Processing, the Labor Inspectorate, the Police, the Authority for Consumer Protection, the National Agency for Fiscal Administration;
  2. To comply with a legal requirement or to protect the rights and assets of the practice or other entities or persons, such as legal courts;
  3. To those whom I have given powers of attorney in their respective fields – the accounting firm, the billing company – in the case of billing data.

7. How long do I store your personal data

I will store your personal data only for the time necessary to achieve the purposes of processing, while respecting the current legal requirements. If, after the expiration of the established period, the practice establishes that it has a legitimate interest or a legal obligation to further process your personal data for other purposes, I will inform you accordingly. I estimate that the processing activities will require the storage of personal data either for:

  • the period stated by law; or
  • for an indefinite period, if the applicable laws and regulations allow. However, in this case, we inform you that any data processing will cease upon receipt of your request, and that some or all of your data will be deleted; or
  • until the end of the relevant purpose applicable to certain data.

Once the processing period indicated above has expired and the cabinet has no legal or legitimate reasons to process your personal data, the data will be deleted in accordance with needed procedures, which may involve archiving, anonymizing or destroying them.

8. What are your rights and how to exercise them

According to General Data Protection Regulation 1616/679, regardless of the basis of the processing of personal data, data subjects have the following rights in relation to the processing carried out:

  • The right to be informed;
  • The right of access to personal data;
  • The right to rectify or update personal data when it is inaccurate or incomplete;
  • The right to request the deletion of personal data in certain circumstances (when personal data are no longer necessary in relation to the stated purpose);
  • The right to request the restriction of the processing of personal data;
  • The right to move one’s personal data;
  • The right to object to the processing of personal data;
  • Rights regarding the automatic processing of personal data;
  • The right to withdraw consent, at any time, for the processing of personal data to which previously consented;
  • The right to be notified in case of data security breaches.

To exercise one or more of these rights or to ask any questions about them, please use the contact details in section 2 above. I will try to answer all your questions and concerns as quickly and completely as possible.

9. What can happen if you do not provide my data

You have no obligation to provide me with your personal data that I have mentioned in this document. However, without this personal data, it may not be possible for me to provide you with the services you request.

10. Modifications to this information note

I may change this note from time to time. In such cases, I will inform you in advance and will not reduce your rights regarding your data through any changes made to this note.

11. Security incidents

In the event of a security incident to your personal data, I will inform you of its occurrence. I will look for the causes of the incident, take reasonable steps to mitigate the effects and mitigate any damage resulting from that incident, as well as reasonable steps to prevent a recurrence of a similar breach of data security.

12. Glossary, or terms relevant to this note

Supervisory authority for the processing of personal data: an independent public authority which, in accordance with the law, has responsibilities for supervising compliance with personal data protection legislation. In Romania, this authority for the supervision of personal data processing is the National Authority for The Supervision of Personal Data Processing (Romanian: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal – ANSPDCP).

Special categories of personal data (sensitive personal data / sensitive data): personal data which: reveals racial or ethnic origin, political opinions, religious denominations or philosophical beliefs or trade union membership; genetic data; biometric data for the unique identification of an individual; data about the health, sexual life or sexual orientation of an individual.

Personal data: any information concerning an identified or identifiable natural person (referred to as “data subject”). A natural person is identifiable if they can be identified, directly or indirectly, in particular by reference to an element of identification, for example: name, identification number, location data, online identifier, one / more specific elements, in regards to physical identity, physiological, genetic, mental, economic, cultural or social background of that person. Thus, for example, the notion of personal data includes the following: name and surname; home or residence address; email address; phone number; social identification number; established diagnoses (sensitive data); genetic data (sensitive data); biometric data (sensitive data); geolocation data.

Data processor: means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller (i.e., IT service providers, accounting service providers and / or online billing applications, etc.).

Data controller: the natural or legal person who decides why (for what purpose) and how (by what means) personal data are processed. According to the law, the responsibility for compliance with the legislation on personal data lies primarily with the controller. In this relationship, I am the operator, and you are the person in question.

Data subject: the natural person to whom certain personal data refer (to whom “they belong”). In the relationship with me (the operator), you are the person concerned.

Processing of personal data: any operation / set of operations performed on personal data or on personal data sets, with or without the use of automated means; for example: collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consultation, use, disclosure by transmission, dissemination or otherwise making available, aligning or combining, restricting, deleting or destroying such personal data or personal data sets. These are just examples. Basically, processing means any operation on personal data, whether by automatic or manual means.