{"id":6721,"date":"2022-11-28T14:28:04","date_gmt":"2022-11-28T14:28:04","guid":{"rendered":"https:\/\/vienahotel.ro\/?page_id=6721"},"modified":"2023-06-21T14:39:37","modified_gmt":"2023-06-21T12:39:37","slug":"politica-de-confidentialitate","status":"publish","type":"page","link":"https:\/\/vienahotel.ro\/en\/politica-de-confidentialitate\/","title":{"rendered":"privacy policy"},"content":{"rendered":"<p><strong><u>Introduction<\/u><\/strong><\/p>\n\n\n\n<p>Privacy of personal data is one of the main concerns of the Controller. As such, we aim\nto ensure the highest standards of confidentiality and transparency with regard to the\npersonal data we process in our day-to-day business.<\/p>\n\n\n\n<p>As it is necessary to process a range of personal data in the course of our hotel business,\nwe wish to provide assurances that processing will take place in accordance with the\nprinciples of transparency and security of personal data. This privacy policy is intended\nto help you understand what data we collect, why we collect it and what we do with it.<\/p>\n\n\n\n<p><strong><u>Controller information<\/u><\/strong><\/p>\n\n\n\n<p class=\" translation-block\"><strong>The controller is PROIMUNITI 2013 SRL <\/strong>, a limited liability company set up and\noperating under the laws of Romania, having its registered office in Satu Mare, str. Mihai Viteazu nr.16, judetul Satu Mare, registered with the Trade Register under\nno.J30\/599\/2013, with Sole Registration Code 32192230.<\/p>\n\n\n\n<p class=\" translation-block\">In accordance with <strong>Article 32 of Regulation 679\/2016 (\" GDPR\")<\/strong>, we have taken appropriate technical, physical and organisational security measures to protect personal data against unauthorised\/illegal access, alteration, deletion, damage, loss or access.<\/p>\n\n\n\n<p>We will comply with the principles of processing personal data as stated in Article 5 of the GDPR, i.e. we will process your personal data:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Legally, fairly and transparently;<\/li><li>For specified, explicit and legitimate purposes and not in a way incompatible with the purposes stated at the time of collection of the personal data;<\/li><li>Ensuring their adequacy, relevance, limiting the processing to what is necessary in relation to the purposes of the processing;<\/li><li>Ensuring that personal data that is inaccurate is deleted or rectified without delay;<\/li><li>Storing the data in a form which allows identification of data subjects for no longer than is necessary for the purposes of processing;<\/li><li>In a way that ensures appropriate data security, including protection against unauthorised or unlawful processing or accidental loss, destruction or damage, by taking appropriate technical and organisational measures.<\/li><\/ul>\n\n\n\n<p><strong>Person appointed on behalf of the controller as Data Protection Officer<\/strong>: Eugenia Kovacs, email: <a href=\"mailto:jeni.kovacs@yahoo.com\">jeni.kovacs@yahoo.com<\/a><\/p>\n\n\n\n<p><strong><u>I. Categories of personal data subject to processing<\/u><\/strong><\/p>\n\n\n\n<p class=\" translation-block\">The controller, as a hotel accommodation establishment, will process the following categories of personal data<strong> of natural persons staying or booking at the hotel:<\/strong><\/p>\n\n\n\n<p>- Last name, first name<\/p>\n\n\n\n<p>- Address\/residence<\/p>\n\n\n\n<p>- PIN<\/p>\n\n\n\n<p>- Identity card number and series and any other data entered on the identity card<\/p>\n\n\n\n<p>- Date and place of birth<\/p>\n\n\n\n<p>- Citizenship<\/p>\n\n\n\n<p>- Passport series and number and any other data entered in the passport<\/p>\n\n\n\n<p>- Phone number and email address<\/p>\n\n\n\n<p>- Bank account<\/p>\n\n\n\n<p>- Data on the period of accommodation of the tourist in the hotel unit managed by the\ncontroller<\/p>\n\n\n\n<p>- Purpose of the trip to Romania<\/p>\n\n\n\n<p>- Data on the appearance and activities carried out in the common areas of the hotel,\nresulting from security video recordings.<\/p>\n\n\n\n<p class=\" translation-block\">Video recordings capturing images of individuals entering the common areas of the hotel <strong>do not represent biometric data<\/strong>, as:<\/p>\n\n\n\n<p>- according to item 51 of the GDPR Recitals, the processing of photographs should not be systematically considered as processing of special categories of personal data, as photographs fall within the definition of biometric data only in cases where they are processed by specific technical means which allow the unique identification or authentication of a natural person;<\/p>\n\n\n\n<p>- the video recordings are in fact a series of photographs capturing the movements of the personnel in chronological order and the technical means of video recording that we use do not allow unique identification of persons, as we do not have facial identification software.<\/p>\n\n\n\n<p>-<\/p>\n\n\n\n<p><strong><u>II. The purpose of processing personal data<\/u><\/strong><\/p>\n\n\n\n<p>The controller shall process the personal data referred to in item I mainly for the purpose of fulfilling obligations arising from hotel service contracts concluded with tourists or third parties for the benefit of tourists (for the sake of clarity, whenever a tourist is accommodated in a hotel managed by the controller at his\/her request, a hotel service contract is deemed to have been concluded).<\/p>\n\n\n\n<p>The controller shall also process the personal data referred to in item I for the purpose of fulfilling the legal obligations incumbent on it under the legislation applicable to tourist accommodation units\/facilities and under tax and accounting legislation.<\/p>\n\n\n\n<p>The main legal obligations specified above are:<\/p>\n\n\n\n<p>1. The obligation to keep in the professional archive copies of the arrival and departure notification forms filled in by tourists and to communicate information on the accommodation of tourists in the hotel accommodation unit managed to the\npolice authorities and the Ministry of Internal Affairs (S. 2 (9) and (10) and S.5 of GD 237\/2001).<\/p>\n\n\n\n<p>2. The obligation to draw up tax invoices containing the personal data referred to in Article 319 of the Tax Code and the obligation to keep supporting accounting documents.<\/p>\n\n\n\n<p>3. The obligation to be in charge with the security, safety and integrity of tourists' property (S.6 of GD 237\/2001)<\/p>\n\n\n\n<p>The controller will process your email address and telephone number for marketing purposes, i.e. to send newsletters to tourists\/guests who are staying or who have made a reservation periodically about possible promotions and products and services provided;<\/p>\n\n\n\n<p>Finally, the controller will process personal data for the purpose of defending its rights in court in case of any claims\/complaints of tourists arising from the contracts concluded or for the purpose of enforcing its own rights arising from these contracts.<\/p>\n\n\n\n<p>We do not use personal data for automated processing or profiling. We never make automated decisions about you. We use technical means to store data securely. We do not process data for secondary purposes incompatible with the purposes for which we\ncollected it.<\/p>\n\n\n\n<p><strong><u>III. Basis of processing of personal data<\/u><\/strong><\/p>\n\n\n\n<p>The controller processes personal data on the following grounds set out in Article 6 of\nthe GDPR:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li class=\" translation-block\"><b>Art. 6 (b):  <\/b> The processing is necessary for the performance of a contract to\nwhich the data subject is a party or for taking steps at the request of the data\nsubject prior to the conclusion of a contract.<\/li><\/ul>\n\n\n\n<p>Refusal to provide personal data subject to processing on this basis will result in our refusal to provide accommodation in the hotel. In this case, we are exempt from any liability.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li class=\" translation-block\"><b>Art.6 (c):<\/b> The processing is necessary for compliance with a legal obligation\nincumbent on the controller.<\/li><\/ul>\n\n\n\n<p>This ground for processing personal data applies both during the course of the contracts concluded by the controller with tourists and after the termination of these contracts, with regard to the processing of personal data for which there is a legal obligation, as indicated in item II of this Regulation.<\/p>\n\n\n\n<p>This ground for processing also applies to personal data of tourists staying in the hotel managed by the controller, if the hotel service contract is concluded by the controller with a third party, which pays for the accommodation services for the tourists staying there.<\/p>\n\n\n\n<p>Refusal to provide personal data subject to processing on this basis will result in our refusal to provide accommodation in the hotel. In this case, we are exempt from any liability.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li class=\" translation-block\"><b>Art.6 (f):<\/b> The processing is necessary for the purposes of legitimate interests\npursued by the controller or a third party.<\/li><\/ul>\n\n\n\n<p>The legitimate interest of the controller is to promote its hotel services in order to make a profit. This type of processing of personal data has a minimal impact on the data subject, as the only data subject to processing for marketing purposes are the email address and telephone number.<\/p>\n\n\n\n<p>Also, with regard to other personal data, the legitimate interest of the controller consists in the possibility to defend itself in the event of complaints raised by co-contractors\/visitors concerning its professional activity or in the event that the\ncontroller needs to enforce its rights deriving from contracts concluded in contradiction with the persons listed above.<\/p>\n\n\n\n<p>In the alternative, the controller will also process personal data on the other grounds provided for in Article 6 of the GDPR and will inform the data subject of the data processing and the basis of the processing incident.<\/p>\n\n\n\n<p><strong><u>IV. Categories of persons to whom personal data will be disclosed by the controller<\/u><\/strong><\/p>\n\n\n\n<p>a. Employees and collaborators of the controller, who have signed a confidentiality agreement with the controller regarding the personal data subject to processing.<\/p>\n\n\n\n<p>b. Public institutions and authorities - to the extent that the controller is legally obliged\nto disclose personal data to them (e.g. police, courts, Ministry of Internal Affairs, Labour\nInspectorate, Ministry of Labour, AJOFM, REVISAL).<\/p>\n\n\n\n<p>c. Third natural and legal persons, insofar as the disclosure of personal data is necessary\nfor the performance by the controller of its contractual obligations or for the fulfilment of legal obligations (e.g. occupational physician, labour protection officer, outsourced\naccounting service, IT service providers, etc.).<\/p>\n\n\n\n<p><a>We do not intend to transfer personal data to a third country or international\norganisation.<\/a><\/p>\n\n\n\n<p><strong><u>V. Expected deadlines for the deletion of personal data subject to\nprocessing<\/u><\/strong><\/p>\n\n\n\n<p>The personal data of the accommodated tourists processed by the controller will be kept\nfor the duration of the contracts concluded by them with the controller.<\/p>\n\n\n\n<p>After the termination of the contracts concluded by the persons listed above with the\ncontroller, the data will be deleted or anonymised as follows:<\/p>\n\n\n\n<p class=\" translation-block\">a. After a period of 5 years, calculated from July 1st of the year following the end of the\nfinancial year in which they were drawn up, with regard to the personal data recorded in\nthe supporting documents underlying the controller's accounting records (according to\nS. 25 of Law 82\/1991)<\/p>\n\n\n\n<p class=\" translation-block\">b. After a period of 5 years, with regard to the data of the tourists accommodated found\nin the arrival and departure notification forms (according to S. 2 (10) of GD 237\/2001).<\/p>\n\n\n\n<p class=\" translation-block\">c. After a period of 6 years in the case of personal data not falling into the above\ncategories. The 6-year period is justified by the need to keep the data in case of\ncomplaints or referrals concerning the professional activity of the controller or if the\ncontroller needs the personal data to enforce a right of the controller arising from\ncontracts concluded with data subjects (the 6-year period is justified by the existence of\na 3-year limitation period for any legal action brought against the controller or for any\nlegal action brought before the court by the controller, which limitation period is subject\nto suspensions and interruptions under the Civil Code).<\/p>\n\n\n\n<p class=\" translation-block\">d. Personal data captured by the video recordings will be deleted after a period of 30\ndays has elapsed since the recordings were made, unless it is necessary to keep the data\nfor a longer period because the video recordings captured the commission of a crime,\nmisdemeanour or tort.<\/p>\n\n\n\n<p class=\" translation-block\">e. Personal data processed for marketing purposes (email address and phone number)\nwill be deleted or anonymised after a period of 3 years from the date of booking.<\/p>\n\n\n\n<p><strong><u>VI. Technical and organisational measures for the security of personal data\n- general description<\/u><\/strong><\/p>\n\n\n\n<p>Taking into account the amount of personal data subject to processing by the controller,\nthe purposes of data processing and the costs of implementing personal data security\nmeasures, the controller shall implement the following data security measures:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The personal data of the tourists accommodated at the hotel will only be\nprocessed by employees who have signed a confidentiality agreement with the\ncontroller;<\/li><li>Security measures of the space where personal data are stored - personal data are\nstored at the controller's premises, in a space that is not accessible to the tourists\nstaying there or to employees who have not signed a confidentiality agreement\nwith the controller and that is equipped with an alarm and security system.<\/li><li>Access to electronic personal data storage devices (computers, laptops, tablets)\nwill be password-based only, and the password will be known only to employees\nwho have signed a confidentiality agreement with the controller and the\ncontroller's legal representatives. Electronic data storage devices are also\nprovided with antivirus software.<\/li><\/ul>\n\n\n\n<p><strong><u>Rights of data subjects in relation to personal data processed by the\ncontroller - correlative obligations of the controller<\/u><\/strong><\/p>\n\n\n\n<p><strong>1. Right to be informed<\/strong><\/p>\n\n\n\n<p>The data subject has the right to be fully, fairly and accurately informed of the personal\ndata to be processed, the purpose of the processing, the persons who will carry out the\nprocessing operation and the period for which the personal data will be processed or\nstored;<\/p>\n\n\n\n<p class=\" translation-block\">The controller will inform data subjects of the above by means of an information\nnotice, which will be signed by them at the time of the start of the processing of\npersonal data. For tourists, the information notice will be signed when they sign the\narrival and departure notification form. By exception, if tourists have booked their\naccommodation in the hotel through the booking software on our website, the\ninformation will be provided by means of this privacy policy, which will be made known\nto tourists at the time of booking.<\/p>\n\n\n\n<p><strong>2. Right to withdraw consent (only if the processing is carried out on the\nbasis of the data subject's consent):<\/strong>:<\/p>\n\n\n\n<p>(1) The data subject shall have the right to withdraw his or her consent to the processing\nof personal data, provided that the processing carried out until the withdrawal of\nconsent is considered lawful and valid.<\/p>\n\n\n\n<p>(2) Withdrawal of consent may be performed by making and submitting a request for\nwithdrawal of consent to the controller. Upon receipt of the request, the controller shall immediately inform its collaborators in order to cease any activities involving the\nprocessing of personal data of the data subject.<\/p>\n\n\n\n<p>(3) Withdrawal of consent shall immediately result in the cessation of any processing of\npersonal data of the data subjects, which will make it impossible to achieve the purpose\nfor which such data were granted, namely the fulfilment by the controller of the\nobligations assumed under the contracts concluded. In such circumstances, the\ncontroller shall immediately notify the data subject and inform him\/her of the cessation\nof any processing of his\/her personal data provided to it.<\/p>\n\n\n\n<p><strong>3. Right of access, rectification, erasure of data, restriction of processing\nand objection to processing:<\/strong>:<\/p>\n\n\n\n<p>(1). The data subject shall have the right to obtain from the controller confirmation as to\nwhether or not personal data relating to him or her are being processed and, if so, access\nto those data and to the following information: the purposes of the processing, the\ncategories of personal data concerned, the recipients or categories of recipients to whom\nthe personal data have been or will be disclosed, in particular recipients in third\ncountries or international organisations, where possible, the period for which the\npersonal data are intended to be stored, or, where this is not possible, the criteria used\nto establish this period, the existence of the right to request the controller to rectify or\nerase personal data or to restrict the processing of personal data concerning the data\nsubject or the right to object to the processing, the right to lodge a complaint with a\nsupervisory authority;<\/p>\n\n\n\n<p>(2). The controller shall provide a copy of the personal data undergoing processing.\nWhere the data subject submits the request in electronic format and unless the data\nsubject requests another format, the information shall be provided in a commonly used\nelectronic format.<\/p>\n\n\n\n<p>(3). The data subject shall have the right to obtain from the controller, without undue\ndelay, the rectification of inaccurate personal data relating to him or her. Having regard\nto the purposes for which the data have been processed, the data subject shall have the\nright to obtain the completion of personal data which are incomplete, including by\nproviding an additional statement.<\/p>\n\n\n\n<p>(4). The data subject shall have the right to obtain from the controller the erasure of\npersonal data concerning him or her without undue delay and the controller shall have\nthe obligation to erase personal data without undue delay if one of the grounds laid\ndown in Article 17 (1) of the GDPR applies.<\/p>\n\n\n\n<p>(5). The data subject shall have the right to obtain from the controller the restriction of\nthe processing if one of the following applies: the data subject disputes the accuracy of\nthe data, for a period allowing the controller to check the accuracy of the data, the\nprocessing is unlawful, and the data subject objects to the erasure of the personal data\nand requests instead the restriction of their use, the controller no longer needs the\npersonal data for the purpose of the processing, but the data subject requests it for the\nestablishment, enforcement or defence of legal claims, the data subject has objected to\nthe processing in accordance with Article 21(1) of the GDPR, for the period of time\nduring which it is verified whether the legitimate rights of the controller prevail over\nthose of the data subject.<\/p>\n\n\n\n<p>(6). The data subject shall have the right to receive personal data concerning him or her\nwhich he or she has provided to the controller in a structured, commonly used and\nmachine-readable format and shall have the right to transmit such data to another\ncontroller, without hindrance on the part of the controller to whom the personal data\nwere provided, if: the processing is based on consent pursuant to Article 6(1)(a) or\nArticle 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the Regulation\nand the processing is carried out by automatic means.<\/p>\n\n\n\n<p>(7) The data subject shall have the right to object at any time, on grounds relating to his\nor her particular situation, to the processing under Article 6(1)(e) or (f) or Article 6(1) of\npersonal data relating to him or her, including profiling on the basis of those provisions.\nThe controller shall no longer process the personal data unless the controller\ndemonstrates it has compelling legitimate grounds for the processing which override the\ninterests, rights and freedoms of the data subject, or that the purpose is the\nestablishment, enforcement or defence of legal claims.<\/p>\n\n\n\n<p><strong>4. The right to lodge a complaint with the Supervisory Authority:<\/strong><\/p>\n\n\n\n<p>Without prejudice to any other administrative or judicial remedy, any data subject shall\nhave the right to lodge a complaint with a supervisory authority, in particular in the\nMember State of his or her habitual residence, place of employment or where the alleged\nbreach occurred, if he or she considers that the processing of personal data relating to\nhim or her is in breach of this Regulation.<\/p>\n\n\n\n<p><strong>5. The right to be informed about personal data breaches:<\/strong><\/p>\n\n\n\n<p>Where the breach of personal data security is likely to result in a high risk to the rights\nand freedoms of natural persons, the controller shall inform the data subject of the\nbreach without undue delay.<\/p>\n\n\n\n<p>Where a personal data breach occurs, the controller shall notify the competent\nsupervisory authority without undue delay and, if possible, no later than 72 hours after\nbecoming aware of it, unless it is likely to result in a risk to the rights and freedoms of\nnatural persons. If the notification is not made within 72 hours, it shall be accompanied\nby a reasoned explanation.<\/p>\n\n\n\n<p>This notification shall include at least:<\/p>\n\n\n\n<p>(a) the nature of the personal data breach, including, where possible, the categories and\napproximate number of data subjects concerned and the categories and approximate\nnumber of personal data records concerned;<\/p>\n\n\n\n<p>(b) the name and contact details of the data protection officer or another contact point\nfrom which further information can be obtained;<\/p>\n\n\n\n<p>(c) the likely consequences of the personal data breach;<\/p>\n\n\n\n<p>(d) the measures taken or proposed to be taken by the controller to remedy the personal\ndata breach, including, where appropriate, measures to mitigate any adverse effects\nthereof.<\/p>\n\n\n\n<p>The controller shall keep records of all personal data breaches, including a description\nof the factual situation in which the personal data breach occurred, its effects and the\nremedial measures taken.<\/p>\n\n\n\n<p><strong>6. Additional obligations imposed on controllers:<\/strong><\/p>\n\n\n\n<p>The controller shall provide the data subject with information on the action taken\nfollowing a request concerning the data subject's rights without undue delay and in any\nevent no later than one month after receipt of the request. This period may be extended\nby two months where necessary, taking into account the complexity and number of\nrequests.<\/p>\n\n\n\n<p>The controller shall inform the data subject of any such extension within one month of\nreceipt of the request, giving the reasons for the delay. Where the data subject submits a\nrequest in electronic format, the information shall be provided in electronic format\nwhere possible, unless the data subject requests another format.<\/p>\n\n\n\n<p>If the controller fails to take action on the data subject's request, it shall inform the data\nsubject without delay and at the latest within one month of receipt of the request of the\nreasons for not taking action and of the possibility to lodge a complaint with a\nsupervisory authority and to seek judicial remedy.<\/p>\n\n\n\n<p>If you wish to exercise any of the rights indicated above, please contact the data\nprotection officer appointed by the controller.<\/p>","protected":false},"excerpt":{"rendered":"<p>Introducere Confiden\u021bialitatea datelor cu caracter personal reprezint\u0103 una din preocup\u0103rile principale ale Operatorului. Ca atare, dorim s\u0103 asigur\u0103m cele mai \u00eenalte standarde de confiden\u021bialitate \u0219i transparen\u021b\u0103 cu privire la datele cu caracter personal pe care le prelucr\u0103m \u00een activitatea noastr\u0103 curent\u0103. \u00centruc\u00e2t \u00een desf\u0103\u0219urarea activit\u0103\u021bii noastre hoteliere este necesar s\u0103 prelucr\u0103m o serie de date [&hellip;]<\/p>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-6721","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/pages\/6721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/comments?post=6721"}],"version-history":[{"count":3,"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/pages\/6721\/revisions"}],"predecessor-version":[{"id":7242,"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/pages\/6721\/revisions\/7242"}],"wp:attachment":[{"href":"https:\/\/vienahotel.ro\/en\/wp-json\/wp\/v2\/media?parent=6721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}