Therme

DATA PROTECTION

CONFIDENTIALITY STATEMENT

CONFIDENTIALITY AND PERSONAL DATA PROTECTION POLICY OF

THERME NORD BUCURESTI

1. Introduction

The confidentiality of your personal data represents one of the main concerns of Therme Nord Bucharest in its capacity as data controller. This is why we want to be fully transparent in respect of the processing of personal data, by providing you with all the information you need in connection with this topic.

According to the requirements of General Data Protection Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as further amended, Therme Nord Bucharest, having its registered office in Romania, Sibiu County, 2 Alexandru Vlahuță Street, having a working point in Balotești, 1K Calea Bucharest Street, Ilfov County, has an obligation to manage the personal data provided by you or collected by us in relation to your person safely and solely for the specified purposes.

This document is intended to inform you on the processing of your personal data in the context of the use of the internet website www.therme.ro (and of the related pages, such as shop.therme.ro, b2b@therme.ro), and in relation to your visits to Therme Bucharest.

2. The purposes, categories and informations storage term.

Based on the legal grounds, we have structured the situations in which your personal data is processed by Therme Nord Bucuresti by specifying the purposes, categories of processed data and the term while the data is kept.

♦ BASED ON YOUR CONSENT, Therme processes your personal data in the following situations :

→ By accepting the cookies existing on the therme.ro website and on the related sub-domains (shop.therme.ro, b2b.therme.ro, feedback.therme.ro etc.)

- Purpose: to improve the experience of browsing on the website.

- Categories of processed data: IP address, geographic address, and banners acessed by users, in order to optimize the display.

- Information storage term: differs depending on the accepted cookies and does not exceed 2 years as from the last session.

You can find further details about the cookies used by us here: http://www.therme.ro/ro/politici-cookie/

→ By subscribing to Therme’s Newsletter – on the website or through other Marketing Campaigns

- Purpose: we collect your e-mail address in order to send you notifications on Therme Nord Bucuresti’s news, offers and Campaigns.

- Categories of processed data: e-mail address and, sometimes, name and surname.

- Information storage term: Your e-mail address is used for this purpose until the moment when you withdraw your consent. This can be done at any time by clicking the unsubscribe button from your confirmation e-mail. Marketing comunications will not be sent without your consent given in advance.

→ For all marketing activities, through any collection method (apps, printed forms etc.) and through all processing operations required for the attainment of this purpose.

- Purpose: data is processed and kept for customization, identification, award of benefits and prizes, as well as for the performance of legal obligations.

- Categories of processed data: personal data required for the enrollment and participation in various Campaigns (family and first name, domicile, e-mail address, phone number or other identification data you provide as required).

- Information storage term: this is limited to (i) the Campaign duration, (ii) the time interval until you withdraw your consent (if you gave it), and (iii) the term set forth by law (for individuals who received prizes).

→ For the use of pictures and video recordings in various marketing materials on the online platforms held by THERME or Social Media:

- Purpose: to provide customers with a clear picture on the opportunities and benefits oferred by Therme.

- Categories of processed data: photo and video images.

- Information storage term: Personal data (your image) is used for the time interval established in the Agreement, usually for maximum 10 years.

→ For the creation of accounts on any of the following platforms: shop.therme.ro, b2b.therme.ro, therme.ro or any other therme.ro sub-domain.

- Purpose: The purposes of processing consist of: creation and administration of accounts for the performance of commercial relations, as well as for the collection of feedback for improving our services.

- Categories of processed data: Therme Nord București will process your personal data, such as name and surname, phone number, e-mail address, invoicing address, delivery address, data on how you use the website, for instance your behavior/preferences/ habits in Therme Nord București, as well as any other categories of data provided directly by you in relation to the creation of your user acount, to placement of orders through the website or in any other way resulting from the website use.

- Information storage term: As a rule, data is kept until the account is closed but, in particular situations, it will be kept for a longer time interval for the performance of legal obligations (10 years for accounting documents) or for the defense of Therme’s legitimate interests.

→ By installing the My Therme app and creating and using the related acount.

- Purpose: The purpose of processing your personal data consists of managing the app in order to provide services intended to build loyalty of Therme Nord Bucuresti’s customers.

- Categories of processed data: personal data provided by you at the moment of the acount creation, such as: name and surname, e-mail address, phone number and birth date.

- Information storage term: Data is kept until the moment when you request for the acount closure. In particular situations, for legal grounds or well justified legitimate interests, data is kept for a longer time interval also after the account closure and the app uninstallment.

→ By using the contact forms on the website (“Contact us”; “organize events” ; “Corporate Sales”; “Send CV”),

- Purpose: Data is processed for the comunication and sending of responses or for redirecting them to the relevant department following the submitted requests (sales, recruitmens etc.).

- Categories of processed data: Therme processes your full name and e-mail address.

- Information storage term: this is set depending on the request type, usually not longer then 3 years.

→ When information is provided to us through the chat or through Therme’s official facebook page

- Purpose: settlement of requests and inquiries from visitors of the facebook page.

- Categories of processed data: family and first name and any other information deemed by data subjects relevant to be provided to us in order to describe a specific situation.

- Information storage term: we keep the data usually 3 years by the last interaction.

→ By filling in various forms when you visit Therme Nord Bucuresti (suggestions, complaints, lost items, child companion employment, massage appointments and other forms whereby your consent is requested).

- Purpose: for the management of suggestions and complaints, comercial management, and for ensuring the guard, health and security of the Facility.

- Categories of processed data: name and surname, address, phone number , e-mail address and any other information deemed by data subjects relevant to be provided to us in order to describe a specific situation.

- Information storage term: this is set depending on the request type, no longer then 3 years.

♦ BASED ON THE GROUND OF PERFORMANCE OF LEGAL OBLIGATIONS, Therme Nord Bucuresti processes your personal data in the following situations:

→ Filling in of sheets at the first aid point following an event of medical nature.

- Purpose: to provide appropriate medical care; to record the event when this is necessary to medical services (hospitals, if the case), and to defend our rights.

- Categories of processed data: name and surname, telephone number, details on the incident and findings.

- Information storage term: Data is kept for a time interval of 30 days, and in situations where potential reports or complaints may be filed, data is kept for 3 years.

→ Ensuring security and health through video surveillance and by having a guard and protection system in place.

The premises of Therme Nord București, as well as the access ways and the parking place are equipped with a video surveillance system, which enables the collection of your image and its processing.

The areas in which there is a high privacy expectation, such as toilets and other similar locations, are not monitored.

- Purposes:

- to secure the observance of the General Contractual Terms - Therme București Nord’s Internal Regulation and that for the Use of Pools;
- to secure the protection of visitors’ health and security;
- to prevent and fight the perpetration of offences;
- to guard and protect individuals, as well as the assets and values of Therme Bucuresti;
- to conduct the internal and legal procedures applicable in case of incidents/accidents.

- Categories of processed data: video images, car registration numbers and other personal data, depending on situations.

- Information storage term: As a rule, video images are kept for maximum 30 days. To the extent that particular situations require that video images be kept for a longer time interval (depending on the time required for the further investigation of a Security Breach, for the defence of legal claims, and for the performance of a legal obligation or the defense of a legitimate interest), the term for keeping the data may be extended up to 3 years.

→ Filling in the engagement for food products brought from outside the Facility

- Purposes: to ensure food safety (Ordinance no. 21/1992, as subsequently updated).

- Categories of processed data: name and surname, address and signature.

- Information storage term: 30 days.

→ Use of personal data for the settlement of claims or complaints submitted online or at our premises:

- Purpose: settlement of complaints.

- Categories of processed data: name and surname, address, phone number, e-mail address.

- Information storage term: 3 years as from the last interaction.

→ Providing of personal data by filling in documents required for the performance of legal obligations (payment orders, collection orders, receipts, invoices, minutes concerning money return/retaking possession of goods (Therme cards) etc.

- Purpose: money collection/return, invoicing and others alike.

- Categories of processed data: family and first name, address, phone number, e-mail address, credit card codes, copy of the Passport (for payments order)

- Information storage term: 5 years, according to the legal provisions.

→ Identity document inspection for the identification of data subjects in various situations (return of lost items, return of Therme cards – in case of re-issuance etc.)

- Purpose: identification of data subjects.

- Categories of processed data: data contained in identity cards.

- Information storage term: N/A

→ Keeping track of service providers performing their activities in the Facility

- Purpose: Work Health and Safety.

- Categories of processed data: family and first name, birth date, profession, and signature.

- Information storage term: all along the performance of the service contract.

→ Keeping track of visitors (other than customers)

- Purpose: to ensure health and security.

- Categories of processed data: family and first name.

- Information storage term: 3 years.

→ Use of personal data incumbent on Therme Nord București in the context of the provided services, including obligations in the tax and archiving areas.

- Purpose: the performance of legal obligations in the tax and archiving area.

- Categories of processed data: name and surname and full address, in case of invoices, or any other information required by law for the performance of legal obligations.

- Information storage term: 5 or 10 years starting from the end of the financial year during which such information was prepared, in case of accounting documents (acording to Order no. 2634/2015 of 5 November 2015) and, in case of archiving, data is kept in compliance with National Archive Law no. 16/1996, as subsequently updated.

→ Administration of financial tranzaction by accounting department (in PayU platform) made with credit card by the clients in webshop and B2B platform.

- Purpose: financial and accounting administration for performance the legal obligation.

- Categories of processed data: The PayU application provide acces to name and surname, address, phone number, e-mail, postal code for the card holder.

- Information storage term: Information is not exported or stored by Therme.

♦ BASED ON ITS LEGITIMATE INTERESTS, THERME NORD BUCURESTI processes your personal data in the following situations:

→ Monitoring of THERME’s data network (when you connect to the wifi network during visits). We process your personal data based on your consend given at the moment of creating the user, but also in our legitimate interest in order to ensure a proper security of the network.

- Purpose: to ensure the security of information and for defending legitimate interest

- Categories of processed data: name and surname, e-mail address, phone number, details of device and navigation.

- Information storage term: 1 year

→ Keeping of incident sheets from the first aid point, video images, and complaints (if any) or other relevant documents following events of medical nature.

- Purpose: management of incidents, in order to defend our rights before Authorities.

- Categories of processed data: name and surname, telephone number, data referring to health condition, details on incidents and medical findings, video images and other information provided by customers to justify the situations.

- Information storage term: 3 years or more if the situation so requires, for defending the rights.

→ Management, control, reporting and preparation of statistics on THERME’s activity (this refers to internal reports prepared for the purpose of obtaining information on sales, the most accessed services, data on your preferences/interests etc.)

- Purpose: management and marketing.

- Categories of processed data: Data does not contain identification elements.

♦ BASED ON THE CONTRACT BETWEEN YOU AND THERME NORD BUCURESTI (including the stages preceding the contract execution), your data is processed in the following situations:

→ Through e-mail communications with Therme Nord Bucuresti’s employees involved in sales (including the stages preceding such sales). Through commercial requests sent via the online or B2B store. Providing your personal data is required for the contract performance.

- Purpose: organization and performance of contractual relations (information, takeover, validation, delivery and invoicing of orders placed on the website, your notification on the order’s status, organization of returns of ordered products etc).

- Categories of processed data: name and surname, profession, e-mail address, delivery address, phone number, bank details, and details of financial transactions with Therme.

- Information storage term: for natural persons: 10 years as from the last order/sale, while for representatives of legal entities, 10 years as from the contract expiry.

→ Filling in of support documents for the recovery of damages caused by customers (payment comitments, finding minutes or other support documents)

- Purpose: recovery of damages.

- Categories of processed data: at least name and surname, domicile address, phone number, payment value, and other information required to establish the circumstances of damages will be collected.

- Information storage term: 5 years as from the end of the financial year during which such documents were prepared.

→ Inspection of identity documents of individuals who want to acess areas limited by age

- Purpose: to ensure the observance of the General Contractual Terms- Therme București Nord’s Internal Regulation and that for the Use of Pools.

- Categories of processed data: data subjects’ identity documents will be visually inspected in order to allow access to particular areas restricted based on age criteria.

- Information storage term: data is not kept.

→ Inspection of identity documents (for pupils, students / pensioners / disabled persons etc.) and of support documents (pupil/student report card, pension slip, support document certifying the disability degree etc.) at the time of purchase of acess tickets.

- Purpose: to ensure the observance of the General Contractual Termse- Therme București Nord’s Internal Regulation and that for the Use of Pools.

- Categories of processed data: data subjects’ identity documents and support documents will be visually inspected for identification purposes.

- Information storage term: data is not kept.

→ Appointments for additional services in the Facility (massage appointments)

- Purpose: massage appointments.

- Categories of processed data: first name.

- Information storage term: 60 days.

→ CV data (that existing on specialized websites or sent to us by you via email or to the address of our working point) is processed for the selection of applicants for interview.

- Purpose: recruitment

- Categories of processed data: name and surname, address, birth date , phone number, address, e-mail, education/qualifications, professional experience, skills and other relevant information.

- Information storage term: If an applicant is rejected, his/her CV will not be kept. If an applicant is acepted, his/her CV will be submitted in his/her HR file and will be kept according to the legal provisions.

The usual (non-exceptional) processing situations are highlighted above. For any unusual situation in which your personal data is processed by Therme in accordance with the data protection law you can contact Data Protection Officer to obtain additional informations. The Privacy Policy is updated periodically to provide a correct and updated ovewview for the data subject.

3. Disclosure of personal data

For the attainment of processing purposes, Therme may disclose your data to its partners, to third persons or entities supporting Therme Bucharest in carrying out its activities through the Website (for instance, courier companies, IT service providers, Marketing collaborators, finacial and accountancy service providers), or to the central/local public authorities in the following indicative situations listed below:

- for the Website administration;
- for organizing and conducting marketing campaigns
- in situations where such disclosure is necessary for the award of prizes or other facilities to data subjects obtained as a result of their participation in various promotional campaigns organized by Therme through the Website;
- to maintain, personalize and improve the Website and the services provided through it;
- to conduct data analysis, to test, investigate and monitor the use and activity trends, and to develop safety features and the login of users;
- to transmit marketing commercial communications under the terms and within the limits set by law, always based on your consent;
- when the disclosure of personal data is required by law etc.

4. Your rights

Under the terms of the legislation concerning the processing of personal data, in your capacity as data subject, you benefit from the following rights:

→ right to information, i.e. a right to receive details on the processing activities carried out by Therme Nord Bucharest, as described in this document;
→ right of data access, i.e. a right to obtain confirmations from Therme Nord Bucharest on the processing of your personal data, as well as details on processing activities, such as the manner in which data is processed, the purposes for which data is processed, the recipients or categories of recipients of data etc.;
→ right to rectification,e. a right to obtain the correction by Therme Nord Bucharest, without unjustified delays, of inaccurate/unjustified personal data, as well as the supplementing of incomplete data; such rectification/supplementing will be communicated to each recipient to which the data was transmitted, except for situations where this proves to be impossible or requires disproportionate efforts.
→ right to data erasure, with no unjustified delays, („right to be forgotten”), in cases where one of the following reasons applies:

- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent, and there is no other legal ground for the processing;
- the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society service sunder the Union or Member State law to which the controller is subject.

Therme Nord Bucharest, following a data erasure request, may anonymize such data (thus depriving them of their personal character) and may continue the processing under these terms for statistical purposes;

→ right to restriction of processing, to the extent that:
- - the accuracy of the personal data is contested by the data subject, for a period enabling us to verify the accuracy of the personal data;
- - the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- - the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
- - the data subject has objected to other than for direct marketing purposes pending the verification whether the legitimate grounds of the controller override those of the data subject.
→ right to data portability, i.e. (i) right to receive the personal data in a structured, commonly used and machine-readable format, and (ii) the right to have such data transmitted by Therme Nord Bucharest to another data controller, to the extent that the requirements set by law are met;
→ right to object – in respect of processing activities, this right can be used by transmitting a request as described below;
- - at any time, on grounds related to his or her particular situation, to the processing of personal data concerning him or her carried out based on the legitimate interest of Therme Nord Bucharest or based on a public interest, except for cases where Therme Nord Bucharest demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims;
- - at any time, free of charge and with no justification, to the processing of data concerning him or her for direct marketing purposes.
→ right not to be subject to a decision based solely on automated processing, i.e. a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her;
→ right to address the National Authority for Personal Data Processing Supervision or the courts of jurisdiction, to the extent that you find this necessary, directly on the Authority’s website dataprotection.ro.

5. Contact

THERME will provide you free of charge with information on the processing of your personal data based on a request, with no unjustified delays, within maximum 30 calendar days as from the date of such request registration. Depending on the complexity of the requested information, such term may be extended by 60 days, and you will be informed on the reasons underlying such extension of the initial term. In case of requests received in an electronic format, the information will be provided also in an electronic format, except for situations where you request for the information in a different format (a printed one). In cases where you request for repetitive, excessive or unfounded information, THERME may refuse to provide the information.

If you want to make use of any of your rights related to the processing of personal data by THERME, to obtain further information or clarifications on the processing of your personal data, please contact THERME, through its Data Protection Officer in charge of securing THERME’s compliance with the requirements set forth by GDPR.

This official can be contacted at the following e-mail address: dataprotection@therme.ro

The website www.therme.ro uses cookies. For further information related to the use of such cookies, please access the following link: http://www.therme.ro/ro/politici-cookie/.