fbpx

privacy policy

Introduction

Privacy of personal data is one of the main concerns of the Controller. As such, we aim to ensure the highest standards of confidentiality and transparency with regard to the personal data we process in our day-to-day business.

As it is necessary to process a range of personal data in the course of our hotel business, we wish to provide assurances that processing will take place in accordance with the principles of transparency and security of personal data. This privacy policy is intended to help you understand what data we collect, why we collect it and what we do with it.

Controller information

The controller is PROIMUNITI 2013 SRL , a limited liability company set up and operating under the laws of Romania, having its registered office in Satu Mare, str. Mihai Viteazu nr.16, judetul Satu Mare, registered with the Trade Register under no.J30/599/2013, with Sole Registration Code 32192230.

In accordance with Article 32 of Regulation 679/2016 (" GDPR"), we have taken appropriate technical, physical and organisational security measures to protect personal data against unauthorised/illegal access, alteration, deletion, damage, loss or access.

We will comply with the principles of processing personal data as stated in Article 5 of the GDPR, i.e. we will process your personal data:

  • Legally, fairly and transparently;
  • For specified, explicit and legitimate purposes and not in a way incompatible with the purposes stated at the time of collection of the personal data;
  • Ensuring their adequacy, relevance, limiting the processing to what is necessary in relation to the purposes of the processing;
  • Ensuring that personal data that is inaccurate is deleted or rectified without delay;
  • Storing the data in a form which allows identification of data subjects for no longer than is necessary for the purposes of processing;
  • In a way that ensures appropriate data security, including protection against unauthorised or unlawful processing or accidental loss, destruction or damage, by taking appropriate technical and organisational measures.

Person appointed on behalf of the controller as Data Protection Officer: Eugenia Kovacs, email: jeni.kovacs@yahoo.com

I. Categories of personal data subject to processing

The controller, as a hotel accommodation establishment, will process the following categories of personal data of natural persons staying or booking at the hotel:

- Last name, first name

- Address/residence

- PIN

- Identity card number and series and any other data entered on the identity card

- Date and place of birth

- Citizenship

- Passport series and number and any other data entered in the passport

- Phone number and email address

- Bank account

- Data on the period of accommodation of the tourist in the hotel unit managed by the controller

- Purpose of the trip to Romania

- Data on the appearance and activities carried out in the common areas of the hotel, resulting from security video recordings.

Video recordings capturing images of individuals entering the common areas of the hotel do not represent biometric data, as:

- according to item 51 of the GDPR Recitals, the processing of photographs should not be systematically considered as processing of special categories of personal data, as photographs fall within the definition of biometric data only in cases where they are processed by specific technical means which allow the unique identification or authentication of a natural person;

- the video recordings are in fact a series of photographs capturing the movements of the personnel in chronological order and the technical means of video recording that we use do not allow unique identification of persons, as we do not have facial identification software.

-

II. The purpose of processing personal data

The controller shall process the personal data referred to in item I mainly for the purpose of fulfilling obligations arising from hotel service contracts concluded with tourists or third parties for the benefit of tourists (for the sake of clarity, whenever a tourist is accommodated in a hotel managed by the controller at his/her request, a hotel service contract is deemed to have been concluded).

The controller shall also process the personal data referred to in item I for the purpose of fulfilling the legal obligations incumbent on it under the legislation applicable to tourist accommodation units/facilities and under tax and accounting legislation.

The main legal obligations specified above are:

1. The obligation to keep in the professional archive copies of the arrival and departure notification forms filled in by tourists and to communicate information on the accommodation of tourists in the hotel accommodation unit managed to the police authorities and the Ministry of Internal Affairs (S. 2 (9) and (10) and S.5 of GD 237/2001).

2. The obligation to draw up tax invoices containing the personal data referred to in Article 319 of the Tax Code and the obligation to keep supporting accounting documents.

3. The obligation to be in charge with the security, safety and integrity of tourists' property (S.6 of GD 237/2001)

The controller will process your email address and telephone number for marketing purposes, i.e. to send newsletters to tourists/guests who are staying or who have made a reservation periodically about possible promotions and products and services provided;

Finally, the controller will process personal data for the purpose of defending its rights in court in case of any claims/complaints of tourists arising from the contracts concluded or for the purpose of enforcing its own rights arising from these contracts.

We do not use personal data for automated processing or profiling. We never make automated decisions about you. We use technical means to store data securely. We do not process data for secondary purposes incompatible with the purposes for which we collected it.

III. Basis of processing of personal data

The controller processes personal data on the following grounds set out in Article 6 of the GDPR:

  • Art. 6 (b): The processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to the conclusion of a contract.

Refusal to provide personal data subject to processing on this basis will result in our refusal to provide accommodation in the hotel. In this case, we are exempt from any liability.

  • Art.6 (c): The processing is necessary for compliance with a legal obligation incumbent on the controller.

This ground for processing personal data applies both during the course of the contracts concluded by the controller with tourists and after the termination of these contracts, with regard to the processing of personal data for which there is a legal obligation, as indicated in item II of this Regulation.

This ground for processing also applies to personal data of tourists staying in the hotel managed by the controller, if the hotel service contract is concluded by the controller with a third party, which pays for the accommodation services for the tourists staying there.

Refusal to provide personal data subject to processing on this basis will result in our refusal to provide accommodation in the hotel. In this case, we are exempt from any liability.

  • Art.6 (f): The processing is necessary for the purposes of legitimate interests pursued by the controller or a third party.

The legitimate interest of the controller is to promote its hotel services in order to make a profit. This type of processing of personal data has a minimal impact on the data subject, as the only data subject to processing for marketing purposes are the email address and telephone number.

Also, with regard to other personal data, the legitimate interest of the controller consists in the possibility to defend itself in the event of complaints raised by co-contractors/visitors concerning its professional activity or in the event that the controller needs to enforce its rights deriving from contracts concluded in contradiction with the persons listed above.

In the alternative, the controller will also process personal data on the other grounds provided for in Article 6 of the GDPR and will inform the data subject of the data processing and the basis of the processing incident.

IV. Categories of persons to whom personal data will be disclosed by the controller

a. Employees and collaborators of the controller, who have signed a confidentiality agreement with the controller regarding the personal data subject to processing.

b. Public institutions and authorities - to the extent that the controller is legally obliged to disclose personal data to them (e.g. police, courts, Ministry of Internal Affairs, Labour Inspectorate, Ministry of Labour, AJOFM, REVISAL).

c. Third natural and legal persons, insofar as the disclosure of personal data is necessary for the performance by the controller of its contractual obligations or for the fulfilment of legal obligations (e.g. occupational physician, labour protection officer, outsourced accounting service, IT service providers, etc.).

We do not intend to transfer personal data to a third country or international organisation.

V. Expected deadlines for the deletion of personal data subject to processing

The personal data of the accommodated tourists processed by the controller will be kept for the duration of the contracts concluded by them with the controller.

After the termination of the contracts concluded by the persons listed above with the controller, the data will be deleted or anonymised as follows:

a. After a period of 5 years, calculated from July 1st of the year following the end of the financial year in which they were drawn up, with regard to the personal data recorded in the supporting documents underlying the controller's accounting records (according to S. 25 of Law 82/1991)

b. After a period of 5 years, with regard to the data of the tourists accommodated found in the arrival and departure notification forms (according to S. 2 (10) of GD 237/2001).

c. After a period of 6 years in the case of personal data not falling into the above categories. The 6-year period is justified by the need to keep the data in case of complaints or referrals concerning the professional activity of the controller or if the controller needs the personal data to enforce a right of the controller arising from contracts concluded with data subjects (the 6-year period is justified by the existence of a 3-year limitation period for any legal action brought against the controller or for any legal action brought before the court by the controller, which limitation period is subject to suspensions and interruptions under the Civil Code).

d. Personal data captured by the video recordings will be deleted after a period of 30 days has elapsed since the recordings were made, unless it is necessary to keep the data for a longer period because the video recordings captured the commission of a crime, misdemeanour or tort.

e. Personal data processed for marketing purposes (email address and phone number) will be deleted or anonymised after a period of 3 years from the date of booking.

VI. Technical and organisational measures for the security of personal data - general description

Taking into account the amount of personal data subject to processing by the controller, the purposes of data processing and the costs of implementing personal data security measures, the controller shall implement the following data security measures:

  • The personal data of the tourists accommodated at the hotel will only be processed by employees who have signed a confidentiality agreement with the controller;
  • Security measures of the space where personal data are stored - personal data are stored at the controller's premises, in a space that is not accessible to the tourists staying there or to employees who have not signed a confidentiality agreement with the controller and that is equipped with an alarm and security system.
  • Access to electronic personal data storage devices (computers, laptops, tablets) will be password-based only, and the password will be known only to employees who have signed a confidentiality agreement with the controller and the controller's legal representatives. Electronic data storage devices are also provided with antivirus software.

Rights of data subjects in relation to personal data processed by the controller - correlative obligations of the controller

1. Right to be informed

The data subject has the right to be fully, fairly and accurately informed of the personal data to be processed, the purpose of the processing, the persons who will carry out the processing operation and the period for which the personal data will be processed or stored;

The controller will inform data subjects of the above by means of an information notice, which will be signed by them at the time of the start of the processing of personal data. For tourists, the information notice will be signed when they sign the arrival and departure notification form. By exception, if tourists have booked their accommodation in the hotel through the booking software on our website, the information will be provided by means of this privacy policy, which will be made known to tourists at the time of booking.

2. Right to withdraw consent (only if the processing is carried out on the basis of the data subject's consent)::

(1) The data subject shall have the right to withdraw his or her consent to the processing of personal data, provided that the processing carried out until the withdrawal of consent is considered lawful and valid.

(2) Withdrawal of consent may be performed by making and submitting a request for withdrawal of consent to the controller. Upon receipt of the request, the controller shall immediately inform its collaborators in order to cease any activities involving the processing of personal data of the data subject.

(3) Withdrawal of consent shall immediately result in the cessation of any processing of personal data of the data subjects, which will make it impossible to achieve the purpose for which such data were granted, namely the fulfilment by the controller of the obligations assumed under the contracts concluded. In such circumstances, the controller shall immediately notify the data subject and inform him/her of the cessation of any processing of his/her personal data provided to it.

3. Right of access, rectification, erasure of data, restriction of processing and objection to processing::

(1). The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, if so, access to those data and to the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations, where possible, the period for which the personal data are intended to be stored, or, where this is not possible, the criteria used to establish this period, the existence of the right to request the controller to rectify or erase personal data or to restrict the processing of personal data concerning the data subject or the right to object to the processing, the right to lodge a complaint with a supervisory authority;

(2). The controller shall provide a copy of the personal data undergoing processing. Where the data subject submits the request in electronic format and unless the data subject requests another format, the information shall be provided in a commonly used electronic format.

(3). The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes for which the data have been processed, the data subject shall have the right to obtain the completion of personal data which are incomplete, including by providing an additional statement.

(4). The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of the grounds laid down in Article 17 (1) of the GDPR applies.

(5). The data subject shall have the right to obtain from the controller the restriction of the processing if one of the following applies: the data subject disputes the accuracy of the data, for a period allowing the controller to check the accuracy of the data, the processing is unlawful, and the data subject objects to the erasure of the personal data and requests instead the restriction of their use, the controller no longer needs the personal data for the purpose of the processing, but the data subject requests it for the establishment, enforcement or defence of legal claims, the data subject has objected to the processing in accordance with Article 21(1) of the GDPR, for the period of time during which it is verified whether the legitimate rights of the controller prevail over those of the data subject.

(6). The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and shall have the right to transmit such data to another controller, without hindrance on the part of the controller to whom the personal data were provided, if: the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the Regulation and the processing is carried out by automatic means.

(7) The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing under Article 6(1)(e) or (f) or Article 6(1) of personal data relating to him or her, including profiling on the basis of those provisions. The controller shall no longer process the personal data unless the controller demonstrates it has compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or that the purpose is the establishment, enforcement or defence of legal claims.

4. The right to lodge a complaint with the Supervisory Authority:

Without prejudice to any other administrative or judicial remedy, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of employment or where the alleged breach occurred, if he or she considers that the processing of personal data relating to him or her is in breach of this Regulation.

5. The right to be informed about personal data breaches:

Where the breach of personal data security is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the breach without undue delay.

Where a personal data breach occurs, the controller shall notify the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is likely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by a reasoned explanation.

This notification shall include at least:

(a) the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) the name and contact details of the data protection officer or another contact point from which further information can be obtained;

(c) the likely consequences of the personal data breach;

(d) the measures taken or proposed to be taken by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse effects thereof.

The controller shall keep records of all personal data breaches, including a description of the factual situation in which the personal data breach occurred, its effects and the remedial measures taken.

6. Additional obligations imposed on controllers:

The controller shall provide the data subject with information on the action taken following a request concerning the data subject's rights without undue delay and in any event no later than one month after receipt of the request. This period may be extended by two months where necessary, taking into account the complexity and number of requests.

The controller shall inform the data subject of any such extension within one month of receipt of the request, giving the reasons for the delay. Where the data subject submits a request in electronic format, the information shall be provided in electronic format where possible, unless the data subject requests another format.

If the controller fails to take action on the data subject's request, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility to lodge a complaint with a supervisory authority and to seek judicial remedy.

If you wish to exercise any of the rights indicated above, please contact the data protection officer appointed by the controller.

en_USEnglish