toggle menu
Privacy policy of the hotels in Romania

Privacy policy of the hotels in Romania

SC Balneoclimaterica SA Sovata             7 January 2019

This Privacy Policy sets out how SC Balneoclimaterica SA Sovata (“Danubius” or “we”) uses and protects your personal data.  Danubius is the Controller for personal data given to us by guests or prospective guests using the site bookings.danubiushotels.com, as well as for other groups of individuals identified in the policy such as guests interacting with us through different channels, business contacts, and our staff.

The recording of bookings on bookings.danubiushotels.com is managed by Sceptre Hospitality Resource (“SHR”), a USA company.  Our contractual arrangements with SHR incorporate suitable safeguards over your personal data in order to protect the rights you have under EU legislation.  In particular, SHR is registered for the “EU U.S. Privacy Shield”. This is an intergovernmental agreement between the EU and the USA and is recognised by the EU Commission as ensuring enforceable protection of personal data equivalent to data protection standards in the EU. The EU Commission decision can be seen on their official website, for example their press release of 18 October 2017 at http://europa.eu/rapid/press-release_IP-17-3966_en.htm.

In the course of its business activities, Danubius requests, obtains, and processes personal data from guests, prospective guests, business contacts, staff, and other individuals.  We aim to process the minimum personal data we need in order to provide a good service. We recognise and respect the legal rights and reasonable expectations of individuals over their personal data and privacy.

This Privacy Policy explains how we protect personal data and privacy.  Many of the principles we follow are driven by the EU’s General Data Protection Regulation (GDPR).  However, we comply with all applicable legal requirements on personal data protection and privacy. 

You can navigate through the Disclosure using the hyperlinks in the table of contents below. You can also download a PDF version with the hyperlinks embedded by clicking here.

We have tried to make this Privacy Policy easy to use and to understand, within the constraints of the complexity of the information we have to communicate.  If you have any questions on the material or any comments or suggestions as to how we might improve the Disclosure, please contact us at:

privacyfeedback@szovata.ro, 545500 Sovata, Strada Trandafirilor Nr. 111, Romania

You can navigate through this Policy by clicking through the table of contents below.  The main sections are the first two which cover:
1 Your rights under GDPR
2 The different processing activities in Danubius  

Table of Contents
1)    Legal rights of individuals (“data subjects”) under GDPR
1.1    Right to receive transparent information
1.2    Right of access to your own data
1.3    Right to rectify inaccurate data
1.4    Right to erasure (“Right to be forgotten”)
1.5    Right to withdraw consent
1.6    Right to request restriction of processing
1.7    Right to object to processing
1.8    Right not be subject to automated decisions
1.9    Data portability
1.10    Right to complain to a “Supervisory Authority”
1.11    Right to an effective judicial remedy against a controller or processor
1.12    Contacting Balneoclimaterica regarding GDPR
2)    Data processing
2.1    Room reservation
2.2    Check-in
2.3    Spa health treatments
2.4    Fitness Centre
2.5    Guest questionnaire, evaluation systems, complaint management
2.6    Surveillance cameras
2.7    Newsletter
2.8    Europoints – Loyalty Programme
2.9    Danubius Gift Card
2.10    Debit card data
2.11 Social media (e.g. Facebook, Instagram)
2.12    Contact
2.13 Automatically recorded data, cookies and “remarketing codes”
2.13.1 Automatically recorded data
2.13.2.    Cookies and similar technologies
2.13.3. Web links
2.14    Job applications
2.15    Staff
2.16    Business contacts
3)    Legal reference information (including contact details)
4)    Terms and abbreviations used in this Disclosure


1)    Legal rights of individuals (“data subjects”) under GDPR
The “data subjects” covered by GDPR are living individuals anywhere who deal with a “controller” in the EU, or living individuals in the EU who deal with a controller outside the EU. A “controller” is the legal entity which defines how personal data is processed. “Personal data” is any data which can be linked to a data subject.

As explained below, data subjects have the following specific rights under GDPR:
a)    Right to receive transparent information
b)    to Right of access to your own data
c)    Right to rectify inaccurate data
d)    Right to erasure (“Right to be forgotten”) in specific circumstances
e)    Right to withdraw consent
f)    Right to request restriction of processing
g)    Right to object to processing
h)    Right not be subject to automated decisions
i)    to “Data portability
j)    Right to complain to a “Supervisory Authority”
k)    to an effective judicial remedy against a controller or processor

This Policy addresses all of these rights.  Under your request on any of them, we will respond without undue delay and in any case within one month, and we will do our best to resolve even complex cases within three months. We will respond to you electronically or by such other medium as you request.  We will not charge a fee for an initial request, but we reserve the right to charge an administrative fee for handling a request repeated with a year, or in case of otherwise manifestly unfounded or excessive request.


Note that we will need to verify your identity to be able to act on any request.

If we believe that we should not act on your request, we will write to inform you of the basis for our decision, and also of your options for legal remedy.

Separately from these rights, if you believe that Danubius has mistreated you with regard to your personal data or your privacy, please contact us so that we can rectify the situation and improve our service to all guests. You can send a formal complaint to us by email or by post to the address given in section 02 “

Right to an effective judicial remedy against a controller or processor
If you believe that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR, you have the right to an effective judicial remedy.
Proceedings against a controller or a processor shall be brought before the courts of the EU Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the EU Member State where your habitual residence is.

Contacting Balneoclimaterica regarding GDPR” below.

We will aim to respond without undue delay and in any case within in a month, although it may take us longer to investigate fully. 

1.1    Right to receive transparent information
We will provide all information required by GDPR to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language, particularly for any information specifically for children. We shall provide the information in writing or by electronic means. If you request, we will provide information orally.

We will facilitate your exercising your rights as described in the rest of section 1 below.

Section 02 “Contacting Balneoclimaterica regarding GDPR” below gives email and postal addresses for contacting us.  Certain sections on individual activities in section 2 give dedicated addresses for specific enquiries.

1.2    Right of access to your own data
You have the right to obtain from Danubius confirmation as to whether personal data on you is being processed, and, if so, to access the data and the following information:
a)    the purpose of the processing
b)    the categories of personal data concerned
c)    the recipients to whom we have disclosed or will disclose the personal data, in particular recipients in countries outside the EU
d)     the period for which the personal data will be stored
e)    the existence of your right to request us to rectify or erase personal data or to restrict processing of personal data or to object to such processing
f)    your right to lodge a complaint with a Supervisory Authority
g)    where the personal data are not collected directly from you, information as to their source
h)    whether there is any automated decision-making from the data, and, if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
i)    Where we transfer your personal data to a country outside the EU, the appropriate safeguards we have in place to protect your rights.

1.3    Right to rectify inaccurate data
If we hold inaccurate or incomplete personal data on you, we will rectify this without undue delay on receiving your request.

1.4    Right to erasure (“Right to be forgotten”)
You have the right to request us to erase your personal data and for us to act on the request without undue delay, where one of the following grounds applies:
(a) Your data are no longer necessary in relation to the purposes for which they were originally processed
(b) You withdraw consent and we have no other legal basis for processing your data
(c) Our basis of lawfulness for processing is our legitimate interests, and you claim that we have no legitimate grounds for the processing which override your interest, rights, and freedoms
(d) The processing is for direct marketing, and you object to this
(e) We have been unlawfully processing your data
(f) We have to erase your data for compliance with a legal obligation in EU or Member State law to which we are subject
(g) Our basis of lawfulness for processing the data is consent given by a guardian for a child, and either (I) you are the guardian and the child is still under the age of consent, or (II) you are the child now older than the age of consent. In Romania, the age of consent for processing of personal data is 18.

Please note that we cannot erase your personal data to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing;
(c) for reasons of public interest in the area of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the request is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
(e) for the establishment, exercise or defence of legal claims

Your data will continue to exist temporarily on backup files after this deletion, but we use IT security techniques to ensure that these are accessible only for the purpose of restoring the database in the event of a loss of data and that they cannot be copied to reveal data.  We destroy backup files on a rotating basis within 60 MONTHS.

1.5    Right to withdraw consent
Where you have given us consent for any processing, you have the right to withdraw consent at any time.  You can do this by sending a request to the email address given in the relevant subsection of section 2 Activities below, which lists the different activities for which we manage personal data.

Note that your withdrawal of consent will not affect processing which we have already done.

1.6     Right to request restriction of processing
You can request that Danubius restricts the processing of your personal data where one of the following applies:

  • You contest the accuracy of the personal data
  • We no longer have a basis of lawfulness for processing, but you oppose us erasing the data and you request that we restrict their use instead
  • We no longer need the data for the original purpose, but you require them for the establishment, exercise, or defence of legal claims
  • You object to our processing on the grounds that we state our legal basis as “our legitimate interests” but you claim that your “interests, rights, and freedoms” override these.

Where processing is restricted under your objection, except for continuing to store the data we shall process them only with your consent or:
a)    for the establishment, exercise or defence of legal claims
b)    for the protection of the rights of another person, or
c)    for reasons of important public interest of the EU or of a Member State.

Where we restrict processing, we shall inform you before we lift the restriction.

Operational practicalities may prevent us restricting processing precisely as envisaged by GDPR, but in such a case we will work with you to try to find a satisfactory resolution.

1.7    Right to object to processing
You have the right to object to our processing your personal data where:

  • Our basis of lawfulness for processing is “our legitimate interests” but you claim that your “interests, rights, and freedoms” override these
  • We process your data for direct marketing purposes, including “profiling” to the extent that it is related to such direct marketing.  (Profiling is automated decision making which analyses or predicts aspects such as your economic situation, personal preferences, behaviour, or location.) Where you make such an objection we shall no longer process your data for such purposes.

1.8    Right not be subject to automated decisions
You have the right not to be subject to a decision based solely on automated processing, if this produces legal effects on you or similarly significantly affects you.

However, this does not apply:
(a) if the decision is necessary for us to perform a contract with you or if we have your explicit consent, or
(b) if the automated process is authorised by a EU or Member State law which also defines measures we have to follow which safeguard your rights, freedoms, and legitimate interests.

In case (a), we have to implement suitable measures to safeguard your rights, freedoms, and legitimate interests.  This includes at least your right to make us ensure human intervention, and your right to express your point of view and to contest the decision.

1.9    Data portability
GDPR gives a data subject the right in certain circumstances to receive the personal data concerning him or her “in a structured, commonly used and machine-readable format”. The right includes having the personal data transmitted directly from one controller to another, where technically feasible.
Where you apply under 1.2 above for access to your own personal data, we will normally supply this in a commonly-used electronic format, unless you specifically ask us to send you a written copy.

1.10    Right to complain to a “Supervisory Authority”
If you believe that we have treated you unfairly or unlawfully under GDPR, you can complain to a Supervisory Authority for data protection.  If you are normally resident in an EU country other than Romania, you have the right to raise a complaint with the Supervisory Authority of that country.  This link will give you the name and contact details:
http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

If you are normally resident in Romania or outside the EU, you can complain to the Romanian Authority:

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal
B-dul G-ral. Gheorghe Magheru 28-30
Sector 1, cod postal 010336
Bucuresti, Romania
Telefon:  +40.318.059.211
               +40.318.059.212
Fax: +40.318.059.602
E-mail: anspdcp@dataprotection.ro

1.11    Right to an effective judicial remedy against a controller or processor
If you believe that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR, you have the right to an effective judicial remedy.
Proceedings against a controller or a processor shall be brought before the courts of the EU Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the EU Member State where your habitual residence is.

1.12    Contacting Balneoclimaterica regarding GDPR
Certain sections on individual activities in section 2 give dedicated contact addresses for specific enquiries. Otherwise, to exercise one of the rights described above, or to make a complaint directly to Balneoclimaterica or to contact us with a general enquiry regarding GDPR or privacy, the email and postal addresses are:

privacyfeedback@szovata.ro

SC Balneoclimaterica SA Sovata
545500 Sovata, Judetul Mures
Str. Trandafirilor Nr. 99
Romania

2)    Data processing
2.1    Room reservation
For reservations made online, in person at a hotel, or by phone, we ask for some or all of the following personal data fields:

  • Full name
  • Arrival date
  • Departure data
  • Number of adults in the room
  • Type of room
  • Full credit card details
  • Personal numeric code or full postal address for the purpose of issuing the advance invoice
  • The treatment bundle
  • Email address
  • Phone number
  • Arrival time
  • All services and their cost
  • Free text – including for example any preferences

Purpose of data processing:
The purpose of our collecting this data is to enable us to identify the guest making the reservation, so that we can keep the room for the right person at check-in, and to record a means of payment so that we avoid financial risk if the guest does not check in to the hotel.  We will use your email address
(i) in the unusual situation where we have to advise you of a change impacting your reservation
(ii) three days before your planned arrival, in order to remind you of details such as the hotel address and check-in time, and
(iii) three days after you leave to ask for comments on your stay, in order that we can improve our service for future visits for you and other guests. 

Legal basis of data processing:
The basis of lawfulness of our processing this data is that we need them in order to fulfil a contract to reserve a room for you. We process your email address in addition to send you a post-stay email for “legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.  Our legitimate interests here are maintaining a high quality of service, and we believe that sending you the post-stay email does not affect your fundamental rights.

If you do not give us the data requested we will either be unable to reserve a room for you or be unable to contact you if there is a problem.

Transfer of data outside the EU
When you make a reservation on our website you are entering data into an application run by Sceptre Hospitality Resource, a USA company.  Your personal data is therefore transferred outside the EU.  In order to ensure that you maintain the rights you have under GDPR over your personal data, we have implemented the following safeguards:
a)    We have contractual terms between Sceptre and ourselves defining and restricting the processing they do on the data;
b)    Sceptre is certified for the “EU – US Privacy Shield”.  This is an intergovernmental agreement between the EU and the USA and is recognised by the EU Commission as ensuring protection of data equivalent to data protection standards in the EU.
The EU Commission decision can be seen on their official website, for example their press release of 18 October 2017 at http://europa.eu/rapid/press-release_IP-17-3966_en.htm.

Period of data processing:
We manage retention of personal data at the level of individual data fields, rather than at the level of the total data for a guest.  For example, we may retain a record of your name and check-in date for longer than your email address.

In some cases we have a statutory obligation to hold personal data for an extended period.  The main categories are:

  • Where information is needed for an invoice or other tax records, we have a statutory obligation to retain this for 10 years after the end of the calendar year.  Thus if we invoice you on check-out on 30 June 2018, we have to keep the data until 31 December 2028.
  • A hotel has a statutory obligation to make a report to the Police for all guests who check-in.  We have a statutory obligation to keep the information included in these reports for 5 years from the date of check-In.
  • Where guests book medical treatment at one of our spa hotels, we have a statutory requirement to keep the medical personal data which we receive for 10 years.


Where we do not have such a statutory obligation, we keep personal data for 5 years from check-in.  We have chosen this period based on the desire of some guests to have their data available when they book for a subsequent visit to one of our hotels. 

We delete all personal data after the longest of the relevant retention periods above.

Your data will continue to exist temporarily on backup files after this deletion, but we use IT security techniques to ensure that these are accessible only for the purpose of restoring the database in the event of a loss of data and that they cannot be copied to reveal data.  We currently backup the entire database and destroy copies on a rotating base within 120 months.  We use this period to ensure that we can restore our tax records if needed within the 10-year statutory period.  We are looking at creating a separate backup schedule for statutory information so that we can delete backup copies of most personal data on a much shorter timescale.

If you want to exercise any of your right listed in section 1 or to contact us for any other reason regarding this data, please email to privacyfeedback@szovata.ro.

2.2    Check-in
Upon using hotel services, at the time of check-in Guests shall fill in a hotel registration card with some or all of the following personal data field:

  • first name and surname
  • address
  • citizenship (exclusively for statistical purposes, with the managed data not able to be traced back to the specific person)
  • place and date of birth.
  • ages of children
  • beginning and ending date of the hotel stay
  • personal numeric code or full postal address for the purpose of issuing the invoice
  • identification data of the travel document (passport)
  • email address, optional (exclusively for company newsletter)


The law prescribes the management of the following data with regard to citizens of third countries:
natural personal identification data, and additionally,

  • identification data of the travel document (passport)
  • address of the hotel
  • beginning and ending date of the hotel stay
  • visa number, certificate of registration,

Citizens of third countries: apart from Romanian citizens, all persons who are not citizens of a member state of the European Economic Area, including displaced persons. Member states of the European Economic Area are:

  • member states of the European Union;
  • Iceland, Liechtenstein and Norway as participating member states,
  • as well as Switzerland, as a state with similar legal status.

Providing the required data by the Guests is a precondition for using hotel services.

Purpose and legal basis of data processing:
The Company shall manage such data in order to fulfil its obligations prescribed in the relevant legal regulations (particularly regarding the laws related to immigration control and tourism tax),to provide the requested services on a contractual basis,  as well as to verify the completion of services and/or to identify the Guests for as long as required by the competent authority to manage the fulfilment of obligations as defined in the given laws.

By signing the registration card, Guests consent to the Company managing and/or archiving the personal data provided by filling in the registration card in order to verify that the contract was concluded and/or performed.

Transfer of data
We have a statutory obligation to transfer some of the personal data of all guests who check-in to the Police.

Period of data processing:

We manage retention of personal data at the level of individual data fields, rather than at the level of the total data for a guest.  For example, we may retain a record of your name and check-in date for longer than your email address.

In some cases we have a statutory obligation to hold personal data for an extended period.  The main categories are:

  • Where information is needed for an invoice or other tax records, we have a statutory obligation to retain this for 10 years after the end of the calendar year.  Thus if we invoice you on check-out on 30 June 2018, we have to keep the data until 31 December 2028.
  • A hotel has a statutory obligation to make a report to the Police for all guests who check-in.  We have a statutory obligation to keep the information included in these reports for 5 years from the date of check-In.
  • Where guests book medical treatment at one of our spa hotels, we have a statutory requirement to keep the medical personal data which we receive for 10 years.

Where we do not have such a statutory obligation, we keep personal data for 5 years from check-in.  We have chosen this period based on the desire of some guests to have their data available when they book for a subsequent visit to one of our hotels. 

We delete all persona data after the longest of the relevant retention periods above.

Your data will continue to exist temporarily on backup files after this deletion, but we use IT security techniques to ensure that these are accessible only for the purpose of restoring the database in the event of a loss of data and that they cannot be copied to reveal data.  We currently backup the entire database and destroy copies on a rotating base within 120 months.  We use this period to ensure that we can restore our tax records if needed within the 10-year statutory period.  We are looking at creating a separate backup schedule for statutory information so that we can delete backup copies of most personal data on a much shorter timescale.

If you want to exercise any of your right listed in section 1 or to contact us for any other reason regarding this data, please email to privacyfeedback@szovata.ro.

   
2.3    Spa health treatments

In the hotel, you will be provided the requested medical services on the basis of a pre-ordered package or as selected by you on site. Before using the medical service in question, a dispatcher working at the separated medical department directs each Guest to a medical doctor. At the doctor’s, you will receive a Treatment record card, filled by your doctor on the basis of the following:

  • Identification data: name, room number (optional), in some cases social security card and/or personal identification number
  • Medical history: illnesses, medicaments, ailments etc. Recording of medical data is part of the medical treatment, however on your record card we will register the relevant medical history (illnesses) only with codes.  The attending doctor will decide what medical data shall be recorded in order to comply with professional standards.

After that, the Guest shall take their Treatment record card to the treatment in question where staff participating in the provision of the treatment will only see the minimum information needed for the treatment indicated on the Treatment record card. Detailed patient information will only be seen by the doctor and their assistant.

Purpose of data processing:
Recording healthcare data is a normal part of medical treatment. The purpose of data management is to ensure safe and proper treatment.

Legal basis of data processing:
As it was you who contacted us for the provision of medical treatment, your consent to the processing of your medical and personal identification data in the context of your medical treatment shall be considered as granted, unless otherwise provided. You can withdraw your consent any time, however, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent, we will be unable to provide medical services to you.

Period of data processing:
Our statutory obligation is to retain medical records for 50 years.

Transfer of data:

Healthcare data may only be transferred to other doctors or third parties upon a Guest's request. Furthermore, a Guest's consent is also required to share the recorded data with a doctor who has not treated the Guest before. The Guest's own GP may receive these medical data unless specifically objected to by the Guest.

The Company, the persons representing the Company as well as the data processor shall maintain the confidentiality of medical information. The Company or its representative shall be exempted from confidentiality, if
-    a) the data subjects or their legal guardian have consented in writing to transfer healthcare and personal identification data, within the limitations defined therein, and
-    b) the transfer of healthcare and personal identification data is required by law.

The data subjects have the right to be informed about data processing  related to their medical treatment, to access the healthcare and personal identification data concerning them, to view their healthcare documentation, and to receive a copy of such documents.

This right is also given to persons entrusted by the data subjects during their treatment in writing, as well as persons authorized by the data subjects in a fully-conclusive private document following treatment.   

The handling of healthcare data by the Company shall be administered in accordance with the relevant provisions of the Data Protection Act

If you wish to exercise any of your rights referred to in Section 1 regarding the data recorded during the provision of health services, or if you wish to contact us for any other reasons regarding your data recorded during the provision of health services, please, let us know by sending an e-mail to privacyfeedback@szovata.ro.


2.4    Fitness Centre
Guests are entitled to use of the fitness room outside of business hours if signing a health condition and risk / responsibility statement.
Provided data: name / signature.
Purpose of data processing:
Provision of gym services. Name is used for identification purpose, heath condition statement to avoid health risks.
Legal basis of data processing:
Performance of the contract concluded for the provision of gym services. Entering your data is voluntary, however, processing data such as your name is indispensable for provision of the service.
In the framework of this service, we process your medical data on the basis of your express consent. You may withdraw your consent any time, however, the withdrawal of consent shall not affect the lawful processing before its withdrawal.
Period of data processing:
 Your personal details will be processed for 31 days following the signing of the statement. 
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to privacyfeedback@szovata.ro.

2.5    Guest questionnaire, evaluation systems, complaint management

As part of the quality assurance process applied by the Company, Guests may provide feedback on the services of the hotels of Balneoclimaterica via an online or paper-based guest questionnaire and/or evaluation system. When filling out the questionnaire, Guests may provide the following personal data:
-    name;
-    date of visit;
-    room number;
-    contact (address, e-mail address, phone number);

During the consumer complaint handling, if you do not agree with the immediate handling of your complaint or immediate investigation of the complaint is not possible, the Company will provide the customer the possibility to give a detailed written description of the complaint for the management of the Company.
The description shall contain:

  • The name and room number of the customer
  • The place, time and mode of submitting the complaint
  • The detailed description of the complaint of the customer, the list of documents and other evidences provided by the customer
  • Contact of the customer (address, telephone number or email address)

Purpose of data processing:
Providing these data is not obligatory, and merely serve the purpose of an accurate investigation of possible complaints and/or enable the Company to respond to the guest.

The feedback received in this manner and the data potentially provided by the Guest may not be traced back to the Guest or linked to the name of the Guest, but may be used by the Company for statistical purposes.

Legal basis of data processing:
Your implied voluntary consent. Please note that if we do not receive your consent to the processing of your data or if you withdraw such consent, we will not be able to answer your question. The withdrawal of consent shall not affect the lawful processing before such withdrawal.

Period of data processing:
Personal data provided along with filling out the Guest Questionnaire or written complaint management shall be deleted by the Company within one year following the given year.
The Company shall delete the e-mail address and user name provided for the online evaluation system upon Guests’ request sent to privacyfeedback@szovata.ro.

If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to privacyfeedback@szovata.ro.

2.6    Surveillance cameras
The Company operates surveillance cameras in the area of the hotels operated by the Company in order to ensure the security of Guests and their property. Camera surveillance is indicated by a warning sign with text.

Purpose of data processing:
Cameras are used in order to guarantee the safety of Guests and their assets.

Video surveillance is used for the protection of property, that is, assets of considerable value, and of the Guests’ personal belongings, taking into consideration that otherwise it would not be possible to detect offences, catch perpetrators in the act, prevent such unlawful acts, and provide evidence.

Legal basis of data processing:
 The legitimate interest of controller.

Period of data processing:
You can receive more information about the period of data processing and data management in relation to the camera system in each hotel or sending such request to privacyfeedback@szovata.ro.

2.7    Newsletter
The Company shall not send newsletters to natural persons unless consented to by the data subject. The data subjects consent to the Company sending electronic newsletters to their e-mail address by providing an address in the course of signing up for the newsletter (at the website, via e-mail or in print). By providing their email address, the data subjects consent to having promotional material sent to them.

When sending you newsletters, we process your name, e-mail address and occasionally, your home address. When setting your newsletter preferences, you can specify the topic of the newsletter, and also the region it applies to.
The Company shall store the provided personal data on a special list, separated from data handed over to the Company for other purposes. This list shall only be accessible to the Company's authorized personnel and data processors. The Company shall not disclose the list or data to any third party and/or unauthorized parties and shall take all security measures to prevent any unauthorized person from viewing them.

Purpose of data processing:
The purpose of data management in relation to sending newsletters is to provide comprehensive, general or customized information to the addressee regarding the Company's latest special offers. 

Legal basis of data processing:
Your voluntary consent. Please note that if we do not receive your consent to the processing of your data we will not be able to send you newsletters.

Period of data processing:
We will only send you newsletters as long as you request them. If you no longer wish to receive newsletters, you can unsubscribe at any time either by using the dedicated link at the end of each newsletter or by notifying us at sovatahotel@szovata.ro, hirlevel@danubiushotels.com or newsletter@danubiushotels.com.

You may also unsubscribe from the newsletter by written request at the following postal address: S.C. Balneoclimaterica S.A., 545500 Sovata, Trandafirilor str. 99.

Transfer of data:
Data is transferred within Danubius Hotels Group. Please note that Arisende s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele Piešťany, a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské Lázně a.s. can also be indicated as senders of the newsletter. For more information please refer to Section 3. As regards the processing of data in the framework of newsletters, the above mentioned hotels proceed in accordance with this Policy.

If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to sovatahotel@szovata.ro, hirlevel@danubiushotels.com or newsletter@danubiushotels.com.
 

2.8    Europoints – Loyalty Programme
Purpose of data processing:
The Company's Guest Loyalty Programme (database managed and operated by Cardnet Co.) is an exclusive service provided for Guests of the hotel - natural persons - with the purpose of providing discounts to returning guests.
Within the programme, the Company processes the following personal data:
In case of a natural person:

  • Name
  • Gender
  • Postal address
  • Address
  • Phone number
  • E-mail address
  • Date of birth (minors under eighteen years of age may not participate in the programme)

Furthermore, we process your Loyalty card number and password.

Participation in the programme may occasionally require the provision of further personal data, in which case the Company may request the given data and inform the data subject about the purpose, manner and duration of data management.

Legal basis of data processing:
The participants of the programme specifically consent to the company managing their personal data handed over for the purpose of operating the Guest Loyalty, and/or sending newsletters specifically written for members of the Guest Loyalty Programme. Based on this consent, the personal data handed over shall be managed for as long as the data subjects participate in the given programme.
Joint data processing:
In order to facilitate the operation of the given programme, the Company has the right to transfer the provided data to its representatives, subcontractors, data processors and foreign subsidiary companies under the condition that they may not transfer these personal data to any third party except to their data processors. Objecting to the transfer of these data by the data subjects shall render their participation in the given programme invalid, thus entailing their cancellation from the programme.

Please note that regarding the Loyalty Programme, for the sake of interoperability, Arisende s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele Piešťany, a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské Lázně a.s. shall be joint controllers. For more information on the companies, please refer to Section 3. As regards the processing of data the joint controllers proceed in accordance with this Policy.

Period of data processing:
The personal data shall be processed for as long as the data subject participate in the programme. Membership status in the Guest Loyalty Programme shall become inactive within 3 (three) years after the date of the last hotel service used. The Company shall store the members' personal data for the period of time defined in the provisions of the relevant tax and accounting laws, and shall delete them after that period.

Data on members in the Guest Loyalty Programme may be used for market research purposes, but the specific Guests must be informed of it in advance and their prior consent shall be required.

Guests can request the deletion of their data managed in the guest loyalty programme by sending an e-mail to dep@danubiushotels.com or sovatahotel@szovata.ro. or a letter to the Company’s postal address (Balneoclimaterica SA, 545500 Sovata, Trandafirilor str. 99.), with the proviso that this shall not affect the lawful processing based on consent before its withdrawal. Please note that without giving your consent you may not participate in the Loyalty Programme.

2.9    Danubius Gift Card
When purchasing a Danubius Gift Card (hereinafter: Gift Card), Customer shall provide the following personal data:

  • name
  • billing name and address
  • name of guest

Purpose of data processing:
The purpose of data management is to maintain contact with the customer and deliver gift cards.

Legal basis of data processing:
The performance of the contract entered into for the issuance of the gift card or voucher. Giving the data is mandatory, it is the requirement for the provision of the service.

Period of data processing:
Personal data obtained this way shall be retained by the Company for 10 years, in accordance with the provisions of the prevailing tax and accounting laws.

If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to sovatahotel@szovata.ro.

2.10    Debit card data
In case of room reservations, we request you to give the following debit card data:

  • Name of debit card
  • Number of debit card
  • Expiry date of credit card/debit card
  • Occasionally, CVC/CVV code

Purpose of data processing:
Providing reservations and charging the total amount of your reservation or only a part of it, depending on cancellation.

Legal basis of data processing:
The performance of the contract entered into for the provision of room reservation as a service. Giving the data is mandatory, it is the requirement for the provision of the service.

Period of data processing:
Debit card data shall be encrypted, and shall be revealed exclusively for transaction purposes and only to authorized persons. After the departure from the hotel, these data shall not be revealed, access to these data is prevented. The data shall be deleted after 10 years. 

If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to sovatahotel@szovata.ro or privacyfeedback@szovata.ro.

2.11 Social media (e.g. Facebook, Instagram)
The Company and the hotels operated by the Company can also be contacted individually via Facebook and Instagram social media portals. By clicking the “like” and “follow” buttons on the given page, Facebook users may subscribe to the newsfeed published on the wall, by clicking the “dislike” button they may unsubscribe and, by adjusting the newsfeed settings, news they don’t wish to follow may also be deleted from their Facebook wall. The Company is able to access its “followers’” profiles, however, it does not record or process them in its own internal system.

Purpose of data processing:
Sharing the contents on the website of the Company and of the hotels operated by the Company, sharing other news and offers, maintaining contact. You may reserve rooms and learn about the latest offers via the Facebook page.

Legal basis of data processing:
Your voluntary consent which can be withdrawn at any time by unsubscribing. The withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal. In case of a withdrawal, you will not get notifications on your newsfeed, our news will not be posted in your newsfeed and yet you can still access the Company’s newsfeed since our page is public.

Period of data processing:
Data are processed until you unsubscribe.

Data shall not be transferred and data controller shall not be engaged.
Facebook and Instagram are separate data controllers, independent of us. Please visit the following links for more information regarding Facebook’s data processing, data protection directives and regulations:

Regarding Instagram’s data processing, you can obtain more information by clicking the link below:

In the case of room reservations, the system automatically redirects the Guest to the Company's website. Data management shall be conducted in compliance with Article 2.1 (room reservation).

The Company also publishes photos/videos about various events/hotels/restaurants, etc. on its Facebook page. Unless it is a photo of a group of people, the Company shall always request the prior written consent of the data subjects before publication.

If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to privacyfeedback@szovata.ro

2.12    Contact
You can contact us at any of our contact details (e-mail, Facebook, phone, by post or through the forms developed for this purpose, e.g. inquiry). In such cases, we assume your consent to the processing of personal data shared with us.

Purpose of data processing:
Maintaining contact with the requesting person, answering and resolving the question/request.

Legal basis of data processing:
Since you contacted us, the legal basis of data processing is your (presumed) voluntary consent. You may withdraw your consent at any time, however, in this case we cannot answer your request. The withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal.

Please note, that the data fields of certain forms have been developed according to our experiences, thus you are only requested to give the data most necessary for answering the question/request. The mandatory fields are marked with a red asterisk.

Period of data processing:
After answering the relevant request, question or complaint, the messages and the personal data obtained in this context shall be deleted after 5 years following the given year.
Transfer of data:
The inquiry regarding a particular hotel shall/can be forwarded to the relevant member of the Danubius Hotels Group.


2.13 Automatically recorded data, cookies and “remarketing codes”
2.13.1 Automatically recorded data
When you open our website on a device (such as a laptop or desktop computer, a smartphone or a tablet) select data of that device will be automatically recorded. The data automatically recorded include the IP address of your device, the date and time of your visiting our website, the browser type and the domain name and address of your Internet provider. The recorded data will be automatically logged by the web server of the website, without requiring your consent or any dedicated activity on your part. The system uses the recorded data to automatically generate statistical data. These data cannot be associated with other personal data except where such an association is mandated by law. These data will exclusively be used in an aggregated and processed form, to correct errors and improve the quality, of our services, and for statistical purposes.

Purpose of data processing:
The technical development of the informatics system, to monitor of the service, and to generate statistical data. In case of fraudulent activities these data can also be used – in co-operation with the user’s Internet provider and the law enforcement authorities – to determine the source of such fraudulent activities.

Legal basis of data processing:
The requirement of the provision of the service as per Act CVIII of 2001 on certain issues of electronic commerce services and information society services, Article 13/A Section (3).

Period of data processing:
30 days from your opening our website.

2.13.2.    Cookies and similar technologies
What are cookies?
Cookies are small, text-based files which are stored on the hard disk drive of computers or smart devices until their validity end date set within the cookie file, and is activated (sending a notification to the web server of the website) every time the website is opened in a browser on the device. Websites use cookies for the purpose of recording information regarding the use of the website (pages visited, time spent on the pages, browsing information, logouts etc.) and personal settings – but these data cannot be associated with the visitor’s identity. Cookies allow the websites’ operators to maintain user-friendly sites and enhance the user experience their websites offers to their visitors.

On platforms where cookies are not available or cannot be used, other technologies are applied to achieve goals similar to those of using cookies – examples include the ad-IDs used on Android-based mobile devices.

Cookies come in two types: “session cookies” and “persistent cookies”.

  • “Session cookies” are only stored on the computer or smart device temporarily while the visitor is using the website; these cookies allow the system to “remember” certain information, so the visitor will not have to provide them every time they open the website. The validity period of session cookies is limited to the duration of the use of the website; the purpose of the use of session cookies is to prevent the loss of data (for example when filling in a longer form). At the end of each use of the website – each session – as well as when the browser is closed cookies of this type are automatically deleted.
  • “Persistent cookies” will remain stored on the computer or smart device after the website is closed. Cookies of this kind are used to allow the website to identify returning visitors. Persistent cookies identify returning visitors by associating the server-side ID with the user, therefore they are an essential part of the functionality of websites which require the users to be authenticated – for example on web stores, netbanking websites and webmail sites. The persistent cookies do not contain personal data, they can only be used for the unique identification of users by associating them with the proper item in the database stored on the web server of the website. The inherent risk of using persistent cookies is that they can only identify the web browser as opposed to the user themselves, so if a user uses a public access point – such as a computer in an Internet café or a public library – to log in to a web store and fails to log out of the store at the end of their session another person can have unauthenticated access to the web store, being falsely identified by the system as the original (and therefore authenticated) user.

How can I allow and disable cookies?
Most Internet browsers automatically allow cookies, but the users can delete or reject them. As every browser is different you can set your cookie preferences manually in the Settings section of your browser. If you do not want to allow any cookies of our website on your device you can modify your browser settings so you are notified of cookies sent to your device, or you can simply reject all cookies. You can also delete the cookies stored on your computer or mobile device, any time. For more information on modifying the browser settings please consult the Help function of your browser. Please note that if you choose to disable cookies you limit the functionality of the website.

What cookies do we use?

1. Cookies essential for the operation of the website:
These cookies are essential for the proper functionality of the website, so in their cases the legal basis of data processing is the requirement of the provision of the service.
a.) Fill-in guide
Purpose of data processing: To facilitate the filling in of the forms by automatically providing the user with the data deemed correct by the system.
Period of data processing: the duration of the visit to the website

b) Search aid
Purpose of data processing: Aids search sessions to minimalize search time
Period of data processing: the duration of the visit to the website

c) Spell check
Purpose of data processing: Automatic notification regarding suspected typing errors
Period of data processing: the duration of the visit to the website

d) Language setting identification:
Purpose of data processing: The system uses the normal cookie to uniquely identify the visitor while they are using the website, to be able “remember” the visitor’s language settings.
Period of data processing: This cookie is stored for 29 days.

e) Social network cookie (Facebook, Instagram, Google+, Youtube)
Purpose of data processing: This cookie allows the sharing of content of the website, on social media.
Period of data processing: This cookie is stored for the duration of sharing the content.

Regarding Facebook please read Section 2.11.

f) Multimedia player (YouTube)
Purpose of data processing: This cookie allows the playing of videos on the website.
Period of data processing: This cookie is stored for the duration of playing the video.

2. Cookies to obtain statistical data
The sole function of these cookies is to obtain statistical data, which means they do not involve personal data. They monitor the visitor’s use of the website, which topics they prefer, what they click on, how they scroll on the website, what pages they visit. It is important to note that these cookies strictly obtain anonymous data. These cookies let us know, for example, how many visitors has our website per month. The obtained statistical data allow us to improve our website so they reflect the preferences of our users even more. Google Tag Manager (and Google Analytics) and Hotjar help us obtaining such statistical data.

3. Marketing cookies
The purpose of using marketing cookies is to create and send personalised ads.
Legal basis of data processing: Using these cookies always require the recipient’s consent which the recipient may grant us in a pop-up window on the website. The user may withdraw their consent any time, however, the withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal. Upon the withdrawal of consent the personalised ads created for the user will not be published on other sites.

a) Categorisation based on the location of the visit
Period of data processing: 269 days

b) Personalised offers on Facebook
Period of data processing: a maximum of 180 days

c) Monitoring clicks on Company ads
Period of data processing: 2 years

If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to privacyfeedback@szovata.ro.

Joint data processing:
Regarding the processed data Arisende s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele Piešťany, a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské Lázně a.s. are joint controllers. For more information please refer to Section 3. As regards the processing of data the joint controllers proceed in accordance with this Policy.

2.13.3. Web links
Our website may contain web links to sites which are not managed and operated by the Company, and are linked to our site for the purpose of providing information to the users. The Company has no influence over, and therefore may not be hold responsible for, the content and the safety situation of the websites managed by its partner companies. Please, consult their privacy policies before providing any information on such websites you visit.

2.14    Job applications
If you apply to work with Balneoclimaterica, we will use the information you give us only to process your application and to monitor recruitment statistics.

Purpose of data processing:
The purpose of data processing is to allow the provision of information to the job seekers regarding the advertised jobs, the selection of the qualifying applicants and to contact the selected applicants.

Legal basis of data processing:
Your consent, which is implicit for applications via e-mail or in printed format. You have the right to withdraw your consent at any time, via e-mail or in a letter. The withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal. Please note that while you provide the requested data on a voluntary basis, we cannot proceed with your application in lack of any requested document or data, or if you withdraw your consent.

Period of data processing:
Having made the selection, we process the CVs, personal data and documents of the applicants to specific job advertisements sent to us as part of their application, as per the following:

– We retain the application of the applicants we did not select for the job in our applicant database for a period of one year after the selection is made. After one year the application and data of the applicant is deleted from the database.

– We transfer the data of the applicant selected for the job to our employee database and delete them from the applicant database.

The processing of general, non-specific applications:

  • We store the application we receive in a letter or email in our database for a period of one year. After one year the CVs and data contained by such applications are deleted from the database.


Transfer of data:
Upon data subject consent the data can be transferred to third parties, like Danubius Hotels Zrt and Arisende s.r.o.  For more information please refer to Section 3. Danubius Hotels Zrt. And Arisende s.r.o process the data obtained, as per this Policy.

If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to privacyfeedback@szovata.ro or hr.balneo@szovata.ro.

2.15    Staff
All of the information in this Policy and all of the rights described in section 1 also applies to Balneoclimaterica’s staff and to our processing of their personal data.

We provide staff directly with full information of our Employee Privacy Policy and of our processing of their personal data.

2.16    Business contacts
In common with most companies, we deal with individuals at other organisations and store their name, business function, and business contact details.

Purpose of data processing:
 Enabling the two companies to communicate with a view to working together. 

Legal basis of data processing:
Our basis of lawfulness for doing this is is our legitimate interests in the performance of the contract or keeping contact between companies.

We will not use the data on these business contacts other than to facilitate business with the other company.  For example, we will not market services to the individuals whose data we hold or transfer the data to any third party.
Period of data processing:
At least annually we will review our records of business contacts and delete those which are no longer current.
The same policy applies to the processing of personal data of press contacts.

3)    Legal reference information (including contact details)

Under GDPR, Danubius, as the controller of the personal data which it processes, must publish information about its legal name and how to contact it, together with other details.  This section contains all the information required by GDPR, together with some useful additional legal information.

The full legal name of the legal entities which operates our hotels is:

SC Balneoclimaterica SA Sovata

Its business activity is Hotel Operation and Services

Its registered address is: 545500 Sovata, Str. Trandafirilor Nr.99.

It is registered in Romania, with Company Registration Number: RO 1245068 registered by the Registry Court.

Its Tax Number is: J26/266/1991 

Its phone number is: 0265-570940

Its legal associate responsible for data protection is: Rusu Aurelia Adriana. She can be contacted by email at aurelia.rusu@szovata.ro.

For the purpose of profile cleaning, Danubius hotels have been divided into two divisions: City Division comprises of city hotels while SPA Division manages health spa & wellness hotels. City hotels are continued to be operated by Danubius Zrt, while the operation of health spa & wellness hotels has been taken over by Arisende s.r.o. of Marianske Lazne As a result, Danubius Zrt and Arisende s.r.o. act as joint controllers for the hotels indicated below as per the provisions of this Policy. Dr Helga Sztanó is responsible for issues of data protection arising in the course of joint data processing.

Company name: Arisende s.r.o.
Registered seat: Masarykova 22/5, 353 01 Mariánské Lázně, Czech Republic
Court of Registration:  Krajský soud v Plzni
Registration number: C 33301
ID number: 05456274.

In addition to Danubius Zrt/Danubius Hotels Zrt, the owners of the hotels operated by Arisende are the following:

Company name: CP Regents Park Two Ltd.
Registered seat: CP House, Otterspool Way, Watford WD25 7JP, UK
Registration number: 5307946.
EU tax number: GB 848957555

Company name: Slovenske liecebne kupele Piešťany, a.s.
Abbreviated name: SLKP, a.s.
Registered seat: Winterova 29, 921 29 Piešťany, Slovakia
Registration number: Obch. reg. KS Trnava, odd. Sa, vlozka č. 181/T
EU tax number: SK2020389668

Company name: SC Balneoclimaterica SA Sovata
Registered seat: Str, Trandafirilor nr. 99, Cod.545500, Romania
EU tax number: RO1245068
Registration number: J26/266/1991

Company name: Léčebné lázně Mariánské Lázně a.s.
Registered seat: Masarykova 22, 353 29 Mariánské Lázně, Czech Republic
Registration number: B 196
EU tax number: CZ45359113

The above companies are jointly deemed the Danubius Hotels Group.


4)    Terms and abbreviations used in this Disclosure
Most of the definitions refer to the EU’s General Data Protection Regulation (GDPR).  This is a legal document, and it is not possible to give a short definition in simple language which is fully exact.  The aim here is to give a clear explanation which will facilitate the reader’s understanding; this may sometimes exclude detail of the full legal definition.  Our policy is to comply with the full requirement of GDPR, and your rights are not affected by any simplification in the explanations here.

Term or Abbreviation    Explanation
Controller    The legal entity which determines the purposes and means of the processing of personal data;
Data subject    A live individual inside or outside the EU dealing with an organisation in the EU.  Such an individual is a “data subject” and under GDPR has rights over the processing of his or her personal data. 

(A live individual resident in the EU is also a data subject with equivalent rights when dealing with a non-EU organisation which specifically markets into the EU. This is not relevant in the case of the Danubius companies.)
EU    The European Union
GDPR    The General Data Protection Regulation of the EU, which came into force 25 May 2018.
Personal data    Any information relating to an individual who is or can be identified through a wide variety of methods, including but not limited to:

  • The individual’s name, identification number, location data, or an online identifier, or
  • One or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

Processing    Any operation or set of operations which is performed on personal data, whether or not automatically means, including but not limited to:

Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.
Processor    A legal entity which processes personal data on behalf of a controller.
Profiling    Automated processing which uses personal data in order to analyse or predict aspects of performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements of an individual
Pseudonymisation    Encrypting or otherwise holding personal data in a way in which it cannot be linked to a specific data subject without additional information. The additional information has to be kept separately and protected by technical and organisational measures to prevent its unauthorised use.
Special categories of data
    There are very strict restrictions on processing of personal data within “special categories”.  These are:

  • Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership,
  • The processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or a person's sex life or sexual orientation, or
  • Criminal convictions.

Supervisory Authority    An independent public body set up by an EU state to monitor the application of GDPR and, as necessary, to intervene to protect the rights of individuals under GDPR
Third Country    Any country outside the EU
Transfer    Sending of personal data from the controller or processor to a legal entity outside the EU.

One hotel selected! Up to 3 hotels can be compared

Two hotels selected! Up to 3 hotels can be compared

One hotel selected! One hotel seleted (3/1)

X