Therme

DATA PROTECTION

CONFIDENTIALITY STATEMENT

CONFIDENTIALITY AND PERSONAL DATA PROTECTION POLICY OF

THERME NORD BUCURESTI

1. Introduction

The confidentiality of your personal data is one of the main concerns of Therme Nord București as a data controller. Therefore we want to be completely transparent regarding the processing of personal data by providing all the information you need on this subject.

According to the requirements of the General Data Protection Regulation No. 679/2016 regarding the protection of individuals with respect to the processing of personal data and on the free movement of such data, amended and supplemented, Therme Nord București SRL (hereinafter referred to as the “Therme”) with its registered office in Romania, Sibiu county, 2 Strada Victor Hugo, building C1, Office 1, 1st floor, having the place of business in Balotești, 1K Calea București, Ilfov County, is required to manage safely and only for specified purposes, personal data that you provide to us or we collect about you.

This document is designed to inform you about the processing of your personal data, with respect to the use of the website www.therme.ro (and its corresponding sub-pages, such as the shop.therme.ro. B2B.therme.ro etc.) and regarding the visits to Therme București.

2. Details of the processing of personal data

Based on legal grounds, we have highlighted most of the situations in which your personal data is processed within Therme Bucureşti by mentioning the purposes, categories of processed data and their storage period.

♦ BASED ON YOUR CONSENT, Therme processes your personal data in the following situations:

→ By accepting cookies on the webpage therme.ro, and related subdomains (shop.therme.ro, b2b.therme.ro, feedback.therme.ro etc.):

- Purpose: improving the experience of browsing the website, optimizing the display of content on the pages of the website.

- Categories of processed data: IP address, geographical address, what banners you have accessed.

- Information storage period: varies depending on the cookies accepted and does not exceed 2 years after the last session.

More details about the cookies used by Therme can be found here: http://www.therme.ro/ro/politici-cookie/

→ By registering to Therme`s Newsletter:

- Purpose: Therme processes your e-mail address to send you information about Therme news, offers and Campaigns.

- Categories of processed data: e-mail address and sometimes first and last name.

- Information storage period: your e-mail address is used for this purpose until the withdrawal of consent, which can be exercised at any time by pressing the unsubscribe button in the confirmation e-mail. Marketing communications are not done without your prior consent.

→ For all marketing activities (registration/enrolment campaigns, contests or other events), through any means of collection (online, printed forms, etc.) and all the processing operations necessary for the fulfilment of the purpose:

- Purpose: data is processed in order to organize, conduct and manage marketing events and to fulfil legal obligations.

- Categories of data processed: refers to the personal data required that you provide for the registration, participation and awards in various Campaigns (first and last name, home address, e-mail address, telephone number, or other identifying data that you provide to us according to the nature of the event.)

- Information storage period: is limited to (i) the duration of the Campaign, (ii) the period up to withdrawal of consent (if you have given it), respectively, (iii) the duration provided for by law (for those who have been awarded).

→ By the consent you provide for the collection and use of photo/audio/video materials in order to achieve various marketing materials distributed on online platforms owned by the Therme or Social Media, or used in order to be published in the Time to Therme magazine , etc. :

- Purpose: Therme image promotion, its products and services.

- Categories of processed data: your voice and image by making photo/audio/video materials.

- Information storage period: personal data (your voice and image) will be processed until consent is withdrawn or, otherwise, until the date specified in the Agreement/consent agreed with Therme.

→ Creating an account on the platforms owned by Therme (shop.therme.ro, b2b.therme.ro, therme.ro or any other subdomain therme.ro.):

- Purpose: the Purposes of the processing refers to the creation and management of accounts in order to carry out trade relations, as well as to gather feedback in order to improve the services offered.

- Categories of data processed: Therme will process your personal data, such as: first name, last name, phone number, e-mail address, billing address, data related to the way in which you use the website, for instance your behaviour/preferences/habits within Therme București, as well as any other categories of data that you provide us directly in the context of the creation of the user account, in light of placing an order via the website or in any other way arising from your use of the website.

- Information storage period: Data is kept right up to the erasing of the account, but in certain situations they will be kept for a longer period for the fulfilment of legal obligations (10 years for the financial-accounting documents) or for the protection of the legitimate interests of Therme.

→ By installing the My Therme application, creating and using the related account.

- Purpose: Managing the application so as to provide the best Therme loyalty service.

- Categories of processed data: personal data which you provide when creating the account, namely: first name, last name, e-mail address, phone number and date of birth.

- Information storage period: Data is kept until you request the deletion of the account. In certain cases, for legal reasons or legitimate interests duly substantiated, data is kept for a longer period of time even after deleting the account and disabling the application.

→ Using the contact forms on the website ("contact us"; "organize events”;" corporate sales”; "send CV”)

- Purpose: registration and resolution of requests.

- Categories of processed data: full name, e-mail address as well as data contained in attachments.

- Information storage period: it is established according to the type of request, no more than is necessary for the fulfilment of purposes and fulfilment of legal obligations.

→ By providing certain information in the form of requests via the official Therme chat or via the Facebook page.

- Purpose: to resolve requests from Facebook page visitors.

- Categories of processed data: First and last name or Facebook nickname, public information and any other information that you provide. If your request involves the disclosure of sensitive personal data, Therme may guide you to e-mail the request directly to the approved department.

- Information storage period: data is usually kept for up to 3 years after the last interaction.

→ By filling out the various online forms on the website www.therme.ro or printed forms when visiting Therme București (suggestions, complaints, lost and found, commitment of kids' caretaker, massage appointments and other forms through which you are requested to give your consent).

- Purpose: for the management of suggestions and complaints, commercial management and to ensure the security, health and safety of the Resort.

- Categories of processed data: first and last name, address, phone number, e-mail address and any other relevant information that you provide for the settlement of your claim.

- Information storage period: data is kept according to the type of request, usually not more than 3 years after the last interaction.

♦ IN ORDER TO FULFILL LEGAL OBLIGATIONS, Therme processes your personal data in the following situations:

→ Filling out a form at the first aid station following a medical event.

- Purpose: providing adequate healthcare, registering the event and keeping records for your best interest (safety and public health) and defending Therme rights.

- Categories of processed data: first name, last name, phone number, incident details and medical findings.

- Information storage period: for minor assistance, data is kept for a period of 30 days, and for serious situations in which subsequent requests can occur (access requests, notifications or complaints, etc.), data is kept for 3 years.

→ Ensuring safety and health through video monitoring and through the existence of a security and protection system.

Within the premises of Therme Bucureşti, as well as the access and parking points are equipped with a video surveillance system that allows the collection of your image and its processing.

Areas where privacy expectations regarding personal life are high, such as toilets and similar locations, are not monitored.

- Purposes:

- ensuring the health and safety protection of visitors;
- preventing and combating criminal offences;
- security and protection of persons and property and values of Therme București;
- ensuring compliance with the General contractual conditions - Rules of Procedure and Use of Therme Nord București Swimming Pools;
- carrying out the related internal and legal procedures in case of incidents / accidents.

- Categories of processed data: video images, car registration number and other personal data depending on the situation.

- Information storage period: Usually, video images are kept for up to 30 days. To the extent that certain situations require the retention of video images for a longer period (depending on the time required to further investigate a Security incident, in order to defend a right in court, in order to fulfil a legal obligation or a legitimate interest), the retention period may be extended up to 3 years.

→ Filling out the commitment for food brought off-site

- Purposes: ensuring food safety (Ordinance 21/1992 with subsequent updates)

- Categories of processed data: first and last name, address and signature.

- Information storage period: 30 days.

→ Storage and processing of personal data for resolving claims and complaints filed online or on location:

- Purpose: to resolve claims and complaints.

- Categories of processed data: first and last name, address, phone number, e-mail address and any other relevant information.

- Information storage period: 3 years after the last interaction.

→ Provision of personal data by filling out documents necessary for the fulfilment of legal obligations (payment order, cashing order, receipt, invoice, delivery-receipt minute vouchers, report of Return Money / re-possession of goods (Therme cards), etc.

- Purpose: cash collection / return, billing, other tax purposes.

- Categories of processed data: first and last name, address, phone number, e-mail address, credit card code and ID copy.

- Information storage period: 5 years, according to legal provisions.

→ Checking the identity card to identify the data subject in different situations (return lost items, return Therme gift cards – in case of re-issuance, etc)

- Purpose: identification

- Categories of processed data: Data from ID card or passport.

- Information storage period: N/A

→ Keeping a record with service providers operating within Therme București Resort.

- Purpose: Health and Safety at Work

- Categories of processed data: first and last name, date of birth, occupation, signature.

- Information storage period: throughout the performance of the service contract and after its termination, for the duration necessary to fulfil the legal obligations.

→ Keeping record of visitors (other than customers)

- Purpose: To ensure health and safety.

- Categories of processed data: first and last name

- Information storage period: 3 years

→ The use of personal data that is held by Therme Nord Bucureşti in the context of services rendered, including tax obligations, as well as regarding archiving.

- Purpose: fulfilment of legal obligations in matters of taxation and archiving.

- Categories of processed data: Therme requires first and last name and address in the case of invoices, or any other information required by law to fulfil legal obligations.

- Information storage period: 5 or 10 years from the end date of the financial year in which they were drawn up in the case of accounting documents (according to the order 2634/2015 of the 5th November 2015), and for archiving, data retention is done in accordance with the law of national archives 16/1996 with its subsequent updates.

→ Management of transactions by the financial-accounting department in the case of payments (on the platform PayU) made with the card by the customer in the online store or on B2B platform.

- Purpose: financial and accounting management.

- Categories of processed data: the PayU Application provides access to the name and surname, address, phone number, e-mail address, postal code of the cardholder.

- Information storage period: information is not exported or stored by Therme.

♦ IN ORDER TO FULFILL LEGAL OBLIGATIONS, THERME processes your personal data in the following situations:

→ THERME data network monitoring (when you connect to the Wi-Fi network at the time of the visit). The provision of personal data for the purpose of connecting to the Wi-Fi network is based on your consent and on the legitimate interest to ensure optimal conditions of network security.

- Purpose: To ensure information security and to protect the legitimate interest.

- Categories of processed data: first and last name, e-mail address, phone number, device details and navigation.

- Information storage period: 1 year

→ Preservation of the first aid incident sheet, videos, complaints (if any) or other relevant documents following a medical event.

- Purpose: incident management, for the purpose of defending Therme's rights before Authorities.

- Categories of data processed: first and last name, surname, phone number, data related to your health, incident details and medical findings, video images and other information provided by you to motivate a situation.

- Information storage period: 3 years or more if the situation so requires, for the protection of rights.

→ Managing, controlling, reporting and compiling THERME activity statistics (Refers to internal reports made to obtain sales information, most accessed services, data on your preferences/interests, etc.)

- Purpose: management and marketing

- Categories of processed data: Data do not contain identification elements.

♦ BASED ON THE CONTRACT BETWEEN YOU AND THERME (including the stages prior to signing of the contract), your data is processed in the following situations:

→ Through e-mail communication with Therme employees involved in the sale (including pre-sale steps).

Through commercial requests from the online store or B2B or any other communication channel. The provision of your personal data is necessary for the performance of the contract.

- Purpose: organizing and conducting the contractual relationship (informing, retrieving, validating, dispatching and invoicing of the order placed on the website, informing you on the status of the order, organising the return of products ordered, or other circumstances related to the sale.)

- Categories of processed data: first and last name, occupation, e-mail address, delivery address, phone number, banking data, details of financial transactions with Therme.

- Information storage period: for individuals: 10 years from the last order/sale and for representatives of legal entities 10 years from the completion of the contract.

→ Filling out supporting documents to recover damages caused by customers (payment commitments, minutes or other supporting documents).

- Purpose: Recovery of damages.

- Categories of processed data: are collected at least first and last name, home address, phone number, amount of payment and other information necessary to establish the circumstances of the damage.

- Information storage period: 5 years from the end date of the financial year in which they were drawn up.

→ The verification of the identity card of the persons who wish to access areas with age limit.

- Purpose: Ensuring compliance with the General Contractual Conditions - Rules of Procedure and Use of Therme Nord București Swimming Pools;

- Categories of processed data: it requires a visual check of your identity card in order to be allowed access to certain age restricted areas.

- Information storage period: No data is stored.

→ The verification of the identity card (for pupils, students / retirees / people with disabilities etc.) and supporting documents (pupil / student card, pension card, supporting document certifying the degree of disability, etc.) at the time of purchasing the access ticket.

- Purpose: Ensuring compliance with the General Contractual Conditions - Rules of Procedure and Use of Therme Nord București Swimming Pools; - Issuing discount for access tickets.

- Categories of processed data: it requires a visual check of your identity card and supporting documents.

- Information storage period: No data is stored.

→ Appointments for additional services within the Resort (massage appointments)

- Purpose: massage appointments

- Categories of processed data: first name

- Information storage period: 60 days

→ CV Data (those on the profile sites or those that you send us by e-mail or at the address of the place of business) processed in order to select the candidate for the interview.

- Purpose: recruitment

- Categories of processed data: first and last name, address, date of birth, phone number, e-mail address, education/qualifications , experience, professional skills and other relevant information.

- Information storage period: If the candidate is rejected, his CV will not be kept (unless otherwise provided under a consent), if the candidate is accepted, the CV will be submitted to the personnel file and kept according to the legal provisions.

♦ OTHER SITUATIONS WHERE PERSONAL DATA MAY BE PROCESSED

In certain situations, Therme can allow access within the Resort Therme București to third Parties in order to carry out activities involving the realization of photo/video/audio material on the basis of a contract or written authorisation from Therme, as well as:

- Press (at its request), at certain times such as national or public interest days, inaugurations, special events, etc., for personal journalistic purposes.

- Partners who have concluded a contract with Therme and who by the nature of the contract are required to make photo/video/audio materials in the Therme location. (events, TV productions, product and service promotions etc.)

Therme informs all its partners, either by specific contractual clauses or by their acceptance of the General Conditions regarding the filming, recording, shooting activities in Therme Bucharest of the responsibilities regarding the processing of personal data.

They undertake and are responsible for the personal data processed, both for obtaining consent and for the other GDPR obligations.

The usual (standard) processing situations are highlighted above. In any unusual situation in which your personal data is processed for the purposes laid down by law, you can contact the Therme Data Protection Officer to get additional information. The privacy policy is regularly updated to give you a fair and up-to-date overview.

3. Disclosure of personal data

For the purposes of the processing, Therme can disclose your data to partners, to third parties or entities that support the Therme in performing its activity through the Website (for example courier companies, marketing collaborators, IT service providers, financial, accounting, legal service providers etc.), or to central public/local authorities, in the following cases listed as examples:

- for managing the Website.
- for organizing and conducting Marketing Campaigns;
- in situations where this communication would be required for the awarding of prizes or other facilities for the persons concerned, obtained as a result of their participation in various promotional campaigns organised by Therme via the Website, Social media communication channels or in the Therme București location.
- for carrying out financial and accounting activities;
- for maintaining, customizing and improving the Website and the services carried out through it;
- for maintenance and administration of IT systems.
- for performing data analysis, testing and research, to monitor user and activity trends, to develop safety features and to authenticate users;
- for the transmission of commercial marketing communications, under the conditions and limits provided by law, always with your consent;
- when the disclosure of personal data is provided by law, etc.

As a general rule, personal data is processed in Romania. In specific situations in which it will be necessary to carry out any of the purposes above-mentioned, Therme can call upon third parties or entities that can access your data from outside of the country (e.g. Germany). In these circumstances, Therme will always take steps to ensure that any international transfer of personal data is managed carefully in order to protect your rights and interests. Transfers to service providers and other third parties will always be protected through contractual commitments and, where appropriate, through other guarantees, such as the standard contractual clauses issued by the European Commission or certification schemes.

4. Your rights

Under the conditions laid down in the law on the processing of personal data, as data subjects, you benefit from the following rights:

→ the right to be informed, respectively the right to receive details concerning the processing activities carried out by Therme, as described in the present document;
→ the right of data access, respectively the right to obtain confirmation from Therme with respect to the processing of personal data, as well as details on the processing activities, as well as the manner in which the data is processed, the purpose for the processing, the recipients or the categories of data recipients etc.;

→ the right to amendment, namely the right to obtain the correction, without legitimate delays, by Therme of personal data that is inaccurate/ unwarranted, as well as to fill out incomplete data; Rectification / completion will be communicated to each recipient to whom the data was transmitted, unless this proves impossible or involves disproportionate efforts.
→ right to delete data, without undue delay ("the right to be forgotten"), if one of the following reasons applies:

- they are no longer necessary to fulfil the purposes for which they were collected or processed;
- if you have withdrawn your consent and there is no other legal basis for processing;
- if you oppose the processing and there are no legitimate reasons to prevail;
- if personal data has been unlawfully processed;
- if personal data must be deleted in order to comply with a legal obligation;
- personal data has been collected in connection with the provision of information company services under the Union law or under national law to which Therme is subject.

Following your request to delete the data, Therme may anonymize this data (thus depriving them of their personal character) and continue processing for statistical purposes;

→ the right to restrict the processing in so far as:

- you are challenging the accuracy of the data, for a period that allows us to verify the correctness of the data;
- the processing is illegal, and you oppose the deletion of personal data, requesting instead to restrict its use;
- Therme no longer needs the personal data for the purpose of processing, but you request it for the establishment, exercise or defence of legal claims; or
- you have opposed the processing (other than that of direct marketing) for the period of time when it is verified that the legitimate rights of Therme prevail over your rights.

→ the right to data portability, namely (i) the right to receive personal data in a structured way, used in the usual way and in a format easy to be read, as well as (ii) the right for this data to be submitted by Therme to another data controller, to the extent that the conditions laid down by law are met;
→ right to object - with respect to processing activities, it may be exercised by submitting a request as indicated below:

- at any time, for reasons related to the particular situation in which you find yourself, as personal data that is to be processed pursuant to the legitimate interest Therme or based on the public interest, except for cases where Therme can prove that it has legitimate and compelling reasons that justify the processing, and which take precedence over your interests, rights and freedoms or that the purpose is the establishment, exercise or defence of a right in court;
- at any time, free of charge and without any justification, that data concerning be processed for direct marketing purposes.

→ the right not to be subjected to an individual automatic decision-making process , meaning the right not to be the subject of a decision taken only on the basis of automatic processing activities, including profiling which produces legal effects which concern you or affect you, in a similar manner, to a significant extent;
→ the right to address the National Supervisory Authority for Personal Data Processing or the competent courts, in so far as considered necessary, directly on the website of the authority www.dataprotection.ro.

5. Contact

THERME will provide free information concerning the processing of personal data upon request, without undue delay, within 30 calendar days from the date of the request registration. Depending on the intricacies of the information requested, this period may be extended by 60 days informing you of the reasons for extending the initial term. For applications received in electronic format, the information will be provided in electronic format, unless you request the information in another format (printed). In cases where you ask us for the same repetitive, excessive information or without legal basis, THERME may refuse to provide the information.

If you want to exercise any of your rights related to the processing of personal data by THERME, to get additional information or clarification with respect to the processing of your personal data, please contact THERME through its data protection officer responsible for ensuring that THERME complies with all the requirements of the GDPR.

He can be contacted at the e-mail address: dataprotection@therme.ro

The website www.therme.ro uses cookie files. For more information on how these files are used, please visit the following link: http://www.therme.ro/ro/politici-cookie/.

6. Updating the Privacy Policy

Therme reserves the right to update and change the privacy policy to reflect all the changes in the way in which personal data is processed, as well as any changes in legal requirements concerning the processing of personal data. Updates do not always involve changes in the processing activities, most often they are intended to give you a clearer and improved picture on this topic.

Visit this page regularly to make sure that you always have the information up to date.