CONFIDENTIALITY AND PERSONAL DATA PROTECTION POLICY
We are committed to ensuring the confidentiality and protection of your personal data and to be fully transparent about the situations, purposes and means in which we carry out our processing activities.
When we request personal data from you, we shall in particular ensure that it is appropriate, relevant and limited to what is necessary in relation to the specified, explicit and legitimate purposes.
We pay special attention to your rights and respond to your requests when you need additional information.
WHO ARE WE AND HOW CAN YOU CONTACT US?
We are Therme Nord București S.R.L. (“Therme”, “We”), Romanian legal entity, registered at the Trade Register Sibiu, under number J32/55/2012, CUI RO 28472550.
When we act as data controller, deciding the purposes and means of personal data processing, we have the responsibility to fulfill all legal requirements regarding the processing of your personal data.
Our registered office is located in Romania, Sibiu, Victor Hugo street, no. 2, building C1, office 1, 1st floor.
We operate from our working point, in Balotești, Calea Bucureşti, no. 1K, Ilfov County, Romania (Therme Bucharest Complex).
Our data protection officer carries out his activity at the address of the working point and can be contacted by email, at the email address: firstname.lastname@example.org
You can contact us by mail, courier and by email at the mentioned addresses.
In the same context, we may also refer to you as the "data subject".
WHAT IS THE SOURCE OF PERSONAL DATA?
WHAT IS THE LEGAL FRAMEWORK UNDER WHICH WE PROCESS YOUR PERSONAL DATA?
We process your personal data in accordance with national and European provisions on the protection of personal data, in particular:
We shall also consider:
WHY DO WE PROCESS YOUR DATA?
The purposes for which we may process your personal data are varied.
We generally process your personal data when necessary to provide you with Therme’s products and services, under a contract or to fulfill our legal obligations arising from our activity (e.g. tax obligations, storage and archiving of supporting documents, communication with authorities etc.), or when it is necessary to defend our legitimate interest.
Legitimate interest may refer to:
The processing of your data by us or other third parties for the above-mentioned situations will always be carried out on the basis of a rigorous analysis that results in the need for the processing and that it will not unduly affect your fundamental rights and freedoms.
We shall also use consent as a legal basis whenever we process your data based on your prior permission in various situations (Therme newsletter sign up, participation in survey, etc.). When we rely on this legal basis, you always have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.
Please refer to our Privacy Notices, in order to obtain detailed information on the legal grounds and purposes that are used in connection with the processing of your data.
WHO ELSE HAS ACCESS TO YOUR PERSONAL DATA?
Your data may also be disclosed to other third parties such as IT service providers, payment processors, financial-accounting service providers, marketing service providers, safety and health service providers, application and web tool providers, website and mobile app developers, market research providers, recruitment service providers, consultants, lawyers, legal advisors, auditors, or other similar entities.
We only disclose your data to them when necessary, taking into account the risks and applying appropriate safeguards.
Some of the categories of recipients mentioned may process your data for their own purposes or in accordance with the legal requirements imposed on them by the authorities. In this context, they are also data controllers for the processing activities carried out, becoming directly responsible for compliance with data protection laws.
Others will process personal data only at our request and for our purposes, based on prior instructions. They are considered our processors for the processing of your personal data.
We only use trusted processors, who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing of your data complies with the requirements of data protection law. The processing of your personal data by our processors is always governed by a contract or other legal act before we disclose their data.
THE LIST OF THERME’S MAIN PROCESSORS: [CLICK HERE]
It is also possible to transmit your data to authorities or certain government institutions, only when we are required by law to do so or when we have a well-founded legitimate interests.
INTERNATIONAL DATA TRANSFER
As a rule, the data we collect about you is processed in Romania, but also within the European Union, where the same legal provisions apply in the field of data protection.
Your data may also be transferred to countries that offer an adequate level of protection (e.g. the United Kingdom of Great Britain and Northern Ireland), as decided by the European Commission on the appropriate level. The full list of countries can be consulted here. In other words, transfers to these destinations are considered as safe as transfers between EU Member countries. Transfers made under these conditions do not require special authorizations.
We may also transfer your personal data to third countries such as the United States of America or international organisations that do not provide an adequate level of data protection, in accordance with the requirements of the European Commission. In this situation, we will take all appropriate safeguards to protect your data and to ensure that you have effective remedies to exercise your rights.
In this context, we shall ensure that there are Standard Contractual Clauses, approved by the European Commission, which will be signed with companies in these third countries, as well as contracts on data processing if these companies are our processors.
Where we cannot find other appropriate safeguards, we will only transfer data to these destinations under the following conditions:
We will ensure that any international transfer of personal data is managed with particular care to protect your rights and freedoms.
HOW DO WE PROTECT YOUR PERSONAL DATA?
We make continuous efforts to protect your data throughout its lifetime, to prevent, eliminate or reduce the risks posed by processing activities.
Our data protection team includes information security experts, data protection officers and legal specialists who together define and implement appropriate strategies, policies and procedures for the protection of your personal data.
Our privacy and data protection program ensures that all necessary measures are effectively addressed to meet legal requirements by implementing policies and procedures adapted to the specifics of our activity.
We regularly train our employees in relation to their field of activity and the risk posed by the activity they carry out.
Through the information security program we promote in particular techniques such as pseudonymisation and encryption of personal data.
We take into account the risks and impact that a potential data breach may have on your rights and freedoms, so we have implemented procedures that help prevent, remedy or mitigate the impact on the privacy of your personal data in the event of such a risk materializes.
We carry out data protection impact assessments whenever a particular processing activity may pose a risk to your fundamental rights and freedoms before we start processing your data.
We impose special conditions on all our processors before transmitting your personal data to them in accordance with data protection laws.
We ensure data protection from the moment of design and by default for the entire duration of processing when we implement new IT systems or new processing activities.
We have appointed a data protection officer who monitors the compliance of our personal data processing activities in accordance with legal requirements.
We keep records of processing activities that fall under our responsibility as a data controller.
We have limited the retention of personal data in accordance with legal requirements and our legitimate interests and we ensure their safe destruction.
We regularly audit IT systems in order to improve security measures ensuring an adequate level of security, in line with the technological development of the market.
WHAT ARE YOUR RIGHTS?
Under the conditions set out in the data protection laws, as a data subject, you have the following rights:
HOW CAN YOU EXERCISE YOUR RIGHTS?
If you wish to exercise any of your rights related to the processing of your personal data, to obtain clarification or further information, please contact our Data Protection Officer, by email, at email@example.com.
We will comply with your request within 30 calendar days from the date of receipt of your request. Given the complexity and number of requests, we can extend this period by another two months. We will always inform you in advance of this extension, together with the reason for the delay.
Depending on the nature of the request, where the information you submit to us is insufficient to identify you, investigate and resolve your request, we may ask you for additional information.
Before responding to any request, we will always ensure that we have sufficient data to ensure that you are the owner of the data. If we are unable to identify you, we may refuse to provide you with the requested information that may not belong to you.
We may also refuse to comply with your requests if you ask us for the same information repeatedly, excessively or without legal basis.
To obtain details of the main processing activities carried out by us, please visit the Privacy Notices below:
If you consider that the information presented in the Privacy Notices is not sufficient or you do not find the information you are looking for, please contact us.
OTHER DATA CONTROLLERS THAT MAY PROCESS YOUR PERSONAL DATA
Within the Therme Bucharest complex, your data can also be processed by other data controllers, that you may interact with, in various situations:
The data controllers mentioned above have full responsibility to fulfill all legal obligations under data protection laws.
Please visit this page periodically to make sure you always have up-to-date information.
Last update: April 2022