Privacy Policy

CONFIDENTIALITY AND PERSONAL DATA PROTECTION POLICY

Introduction

The privacy of your personal data is one of the main concerns of Therme Nord București. For this reason, our aim is to be completely transparent with regard to the processing of your personal data by presenting all the information you need concerning this subject matter.

Therme Nord București, as data controller, processes your personal data in accordance with all national and European provisions on the protection of personal data, in particular by complying with the General Data Protection Regulation no. 679/2016 on the protection of persons with regard to the processing of personal data and the free movement of such data (hereinafter referred to as GDPR).

The purpose of this document is to inform you regarding the processing of your personal data when using the website www.therme.ro (including its subdomains), hereinafter referred to as "website", the MyTherme mobile application, as well as regarding the visits to the Therme Bucharest resort.

Who are we and how can you contact us?

Therme Nord București SRL (hereinafter referred to as Therme) is a Romanian legal entity with its registered office in Romania, Sibiu county, 2 Victor Hugo street, building C1, office 1, 1st floor, registered at Sibiu Trade Register Office under no. J32/55/2012, URC RO 28472550, with the place of business at the Therme Bucharest SPA resort located in Balotești, 1K Calea București, Ilfov county.

Therme can be contacted by post or courier, both at the registered office address and at the place of business address, or by e-mail, at the address office@therme.ro.

To comply with the legal requirements regarding the processing of personal data, Therme has appointed a Data Protection Officer who works at the place of business address and can be reached via e-mail at: dataprotection@therme.ro. 

What are the cases in which we process your data?

DATA PROCESSING WHEN USING THE WEBSITE OR THE MOBILE APPLICATION MYTHERME:

1.  When accessing the website, by means of cookies used on the website, which collect personal data to improve the browsing experience, to optimize the content display on web pages (e.g., language preference), to register consent regarding accepted cookies, traffic analysis, advertising, etc. 

Cookies are divided into four categories:

a.  cookies which are strictly required so that the website operates properly, which cannot be disabled and for which the processing is done in the legitimate interest of Therme. The website cannot operate properly without these cookies.

b.  preference cookies which allow the website to remember information that changes according to the way in which the website behaves and looks, such as your preferred language or the area in which you are located.

c.  statistical cookies which  help us understand how you interact with the website by collecting and reporting anonymous information.

d.  advertising cookies  which are used to track users from one site to another. The purpose is to display relevant and engaging advertisements for individual users. These cookies may be set up on our website by our advertising partners. These companies can use them to create a category regarding your interests and to show you relevant advertisements on other websites. They do not store personal information directly, but are based on solely identifying your browser and internet device. If you do not allow these cookies, you will receive less personalized advertising.

For the advertising cookies used by Google which are available on the website, you can find more information here: https://policies.google.com/technologies/cookies?hl=ro

To this end, personal data refer to data such as IP address, geographical address and pages accessed, and they are stored for the period necessary to fulfill the purposes, depending on the type of cookie.

Preference, statistical and advertising cookies are only used based on your consent, depending on the preferences selected in the cookies privacy panel. 

More details about cookies, changing preferences, or withdrawing previously granted consent can be found in  “Cookie Policy”

2.  When using the MyTherme application

Our systems, like all servers, automatically record information such as your IP, operating system and the type of device when you are connected to these systems. Although we do not specifically collect data such as the language of your device, we use it to determine the language that the application content should have. The data are used while you are using the application.

3.  By filling out and transmitting the necessary data to create your MyTherme account: first and last name, e-mail address, setting-up the password, and verifying the minimum mandatory age for data processing in order to activate the account. The data are processed only based on your consent when you access the “Create Account” section and are kept until the account is deleted, and for another 30 days under the legitimate interest of Therme. The right to erasure can be exercised directly from your account, under the section “Settings/Delete account".

4. When providing additional information to complete your profile, in MyTherme account, such as: phone number or other contact information, billing address, postal code or other additional information you wish to have on the invoice. The data are processed pursuant to your freely given consent upon creating the account, and are to be used for commercial management purpose for future orders/purchases in the online store. The data are kept until you request the account to be deleted, under the terms mentioned in the previous paragraph. However, Therme may process these data for a longer period when the data were used for purchasing Therme products and services, for fulfiling its legal obligations (e.g., for financial and accounting purposes) and for protecting its legitimate interest (e.g., complaint resolution), in accordance with legal retention requirements.

5.  When making an order in the online store, by providing the necessary information, such as:

aidentification data - first and last name, e-mail address, phone number;

b. contact details - first and last name, e-mail address, phone number;

c. billing data - first and last name, billing address, postal code, any other information you wish to be added on the invoice;

d. age limit necessary to place the order and send the data to Therme.

e. customer type - child/adult/pupil/student/senior

f.  bank card details - name of cardholder, card number, expiry date and CVC. Bank data are not stored on the information systems of Therme. The data are processed by means of an authorized payment processor that complies with the PCI DSS standard. Therme only stores the card token and its expiration date.

g. details about the products and services purchased, and related to your visit. (Therme cards, tickets purchased, number of visitors, date of visit, duration of visit, areas visited, etc.).

The purpose of the processing operation is related to managing our commercial relationship with you, which involves carrying out processing activities, such as: verifying the minimum legal age for placing the order and sending the data, registering the placed orders, customizing access tickets (by mentioning your and your other accompanying guests' first and last name), issuing the access tickets, sending the access tickets via e-mail to each visitor, invoicing, sending notifications concerning the order, providing technical assistance, matching offers with the type of customer, checking the order status, solving technical issues or complaints, cancellations, or any other processing activities which are related to the orders placed in our online shop.

Therme processes the data mentioned under our mutual agreement, concluded with respect to the purchase of products and services, as well as for fulfilling its fiscal obligations or other legal obligations, according to the retention periods regulated by legal provisions (for example, 10 years for financial-accounting documents).

Therme may use the data related to your purchases to make statistical, anonymized reports about sales and customer preferences. These data help Therme improve the services offered. Anonymizing data no longer allows you to be identified, which is why it may be kept by Therme indefinitely.

If you send data that do not belong to you to Therme, in cases such as: registering the contact details of another person, using another person's bank card, providing the first and last name as well as the e-mail addresses of other access ticket beneficiaries (so that Therme forwards the access tickets to each visitor), or other similar cases, please inform these persons accordingly by bringing this document to their attention, before using them in the business relationship with Therme.

6. When you contact us:

a.  using the contact form on the website by filling out and sending data to Therme.  The data required to solve your request are: first and last name, e-mail address, reason for contacting us, as well as other additional information that you provide under that specific section. Therme collects these data based on your consent. The data retention period varies depending on the chosen reason and may be influenced by legal provisions. For instance, if you contact us in order to solve a complaint, Therme will keep the data for 3 years after its resolution or our last communication with you, both to fulfill its legal obligations and to protect its legitimate interest.  

b.  through social networks (Facebook, Twitter, Youtube, etc.).Therme has access to the public data in your profile as well as to the personal data you submit regarding your questions or requests through private messages or public posts.

Therme does not advise the transmission of personal data through social networks and cannot guarantee data security, considering the fact that it cannot fully control access to external entities that can access this information, such as social network operators and their partners. Please take this into account when using this communication channel.

Depending on the reason you contact us, a Therme employee will answer your questions, and when it comes to the processing of personal data, he/she may guide you to other communication channels controlled and secured by Therme (e.g., transmission of data to specific e-mail addresses). Therme will process these data only for the purpose of resolving your request according to legal obligations.

Therme will regularly delete messages containing personal data included in notifications sent to you through this communication channel, specifically sensitive data, and the retention of such data will be done depending on the purpose, in accordance with its internal procedures.

c.  through specific e-mail addresses (contact@therme.roreclamații@therme.ro, etc.).

In this regard, the processing shall be carried out under the same conditions as referred to under paragraph 6.a. Depending on the reason for the request, Therme may require additional information that is necessary to resolve your request. Moreover, when sensitive personal data are transmitted, Therme may send that information to you using additional encryption methods.

7.  When Therme sends you “web push” or ”app push” notifications on MyTherme website or mobile application, or e-mail notifications

Therme carries out this processing activity based on your consent for direct marketing messages, when they relate to the promotion of product and service categories that you have not purchased. For notifications which relate to products and services purchased or under purchasing, the legal basis is the legitimate interest of Therme. The notification types may refer to changes in the operating schedule of Therme Bucharest resort, changes in the schedule of Therme activities, messages about your purchases, messages about the purchase of similar products, or other particular messages.

Notifications can be enabled or disabled directly from your account in the Settings/Notification Settings section.

8.  For taking part in Therme events and competitions

The categories of data processed refer to the necessary personal data that you provide for registration, participation and award in various campaigns (first and last name, home address, e-mail address, telephone number, or other identification data that you provide to us, depending on the nature of the event), through various collection means (electronic or printed forms, e-mail, etc.).

The campaigns can be organised via Therme's website or social media channels (Facebook, Instagram, Youtube, etc.).

Therme processes these data for the purpose of organizing, carrying out and managing marketing events as well as for the fulfillment of legal obligations by performing all necessary processing activities in accordance with them.

The legal basis for data processing is not only the consent that you give when registering in the campaign, but also the compliance with legal obligations that Therme or its marketing partners, as organizers, have.

The retention period of the information is limited to (i) the duration of the Campaign, (ii) the period until the withdrawal of consent (if you have granted it), and (iii) the duration provided for by law (for award-winning persons), as the case may be. If necessary, Therme may also process the data in order to protect its legitimate interest (e.g., when it is necessary to resolve complaints).

Due to the broad nature of Therme campaigns, the Organizer will provide you with detailed information on the processing of personal data in each Campaign Regulation.

9.  Through processing photo/audio-video materials in order to make various marketing materials, to promote the image, products and services of Therme. In addition to your voice and appearance, the materials may also contain other personal data that you disclose (for example, if data are processed based on an interview).

This processing activity will be carried out only based on your consent, or based on a personal release agreement signed between you and Therme. Consent is usually given in writing, before data processing is carried out, and will contain all the details needed for processing your data. The promotion of marketing materials is done both internally, within the Therme Bucharest resort, and externally, on online platforms owned by Therme or on social media, used so as to be published in Time to Therme magazine, etc.

Personal data will be processed until the consent is withdrawed, or, otherwise, until the date mentioned in the agreement/permission agreed upon with Therme.

DATA PROCESSING WHEN VISITING THE THERME BUCHAREST RESORT:

1. Through the video surveillance system installed in areas intended for both customers and visitors as well as for employees, within the Therme Bucharest resort, as well as in adjacent areas such as parking lots, roads and access roads, warehouses or other buildings located on the Therme property.  This processing activity, which involves the processing of your image, or other data that may indirectly lead to your identification (e.g., registration number), augments the security and protection measures implemented based on the risk assessment regarding the security of Therme Bucharest resort. 

Due to the large visitor flow, Therme uses the surveillance system together with the other security measures in order to fulfill its legal obligations, such as complying with the provisions of  Romanian Law 333/2003 on the security of objects, goods, values and the protection of persons, or for legitimate interests, for purposes such as:

a.  ensuring the protection of health and safety of visitors;

b.  preventing and countering crimes;

c.  securing and protecting persons and the property and values of Therme;

d.  ensuring customer compliance with the General Terms and Conditions - Therme Nord București Rules of Procedure and Use of swimming pools;

e.  reading the internal and legal procedures related to incidents/accidents.

Therme has carried out an Data Protection Impact Assesement for the video image processing in order to identify and mitigate the risks associated with data processing, so that its legitimate interests do not prevail over your rights and freedoms.

The location of the cameras has been carefully reviewed to ensure that monitoring is as limited as possible in areas which are not of interest to the intended purpose. Areas where there is a high level of privacy expectations, such as toilets and similar locations, are not monitored.

The presence of video surveillance cameras is marked in each area of the Therme Bucharest resort, through information panels or illustrative icons located in visible areas, mainly at entrances, revolving doors and turnstiles.

Video images are generally stored for no more than 30 days. The retention period may be extended according to the purposes pursued insofar as some situations require the retention of video images for a longer period of time (depending on the time needed to further investigate a security breach, to defend legal claims, for the purpose of fulfilling a legal obligation or a well-established legitimate interest).

2.  When you show up to Therme cash registers to purchase products and services or to have your access granted according to online-purchased tickets, Therme will process personal data about:

a. purchased products and services;

b. date and time of visit, duration of visit;

c. financial data regarding the payment method (cash, credit card, Therme card) and the amounts paid;

d.  other details listed on online tickets or vouchers;

e. ccess bracelet number and assigned locker room number;

e.  signature acknowledgement of Therme Regulations;

Therme processes these data, both based on our agreement, on fulfiling its legal obligations, as well as for protecting its legitimate interest.

3. Using automatic systems

a.  Self check-in

Therme provides you with a check-in device, located in the cash register area, which helps you purchase your access tickets without the help of Therme staff, thus shortening the time spent at the cash registers.

The system uses a computer interface that allows you to choose the desired facilities and make payment. The check-in system does not process any personal data other than those necessary with respect to the chosen facilities and the card payment details.

The sales process continues at the cash registers, where the bracelet is issued and access is granted to the Therme Bucharest resort.

Using this service is optional. It can be used as an alternative to the conventional sales process.

b. Vending machine

It is another information system located in the cash register area that you can use upon your arrival at the location to activate tickets purchased online. The system scans the QR code listed on the online ticket, it reads and checks the information on it in the online store systems and issues access bracelets. The sales process continues at the cash registers, where the bracelet is issued and access is granted to the Therme Bucharest resort.

c. Self check-out

This information system is located at the exit areas and will allow you to make payment for the consumption recorded on the bracelet. The bracelet must subsequently be handed over to Therme staff at specially designed cash registers. The processing data refer to data recorded on the bracelet throughout the visit and to card payment details.

d.  Self invoice

You can use this information system to create and issue the tax invoice. To this end, the system allows you to scan the tax receipt so as to obtain the necessary payment information. The system is also synchronized to the ANAF database to recognize company data.

The system allows you to record additional personal data that you want listed on the invoice. First and last name, address (for natural persons). First and last name, ID series and no. (for legal representatives with respect to a company)

The recorded invoice and related data are kept by Therme under our mutual agreement for financial and accounting purposes to fulfill legal obligations.

4.  To comply with the access conditions to the Therme Bucharest resort, Therme may require you to confirm the eligibility of purchased tickets by submitting the following documents:

a.  identity document (ID, passport, etc.) to verify the minimum age required to access age-limited areas;

b.  pupil card/student card/pension slip to verify the eligibility of offers for these categories of persons;

c.  supporting documents for people with disabilities to be able to benefit from offers for guests with special needs;

Therme does not register or store these documents! Therme requests they be presented (at the time of the visit) in view of its legitimate interest in offering discounts to eligible persons. Refusal to present these documents may lead to the impossibility of granting these benefits.

5.  Using access bracelets

Therme uses bracelets based on RFID technology (Radio Frequency Identification) upon which access is made to the areas of the Therme Bucharest resort. In conjunction with multiple information technology systems, these bracelets help you access Therme facilities most effectively. 

Access bracelets are used for purposes such as:

a.  allowing access to the Therme Bucharest resort by scanning the bracelet at the turnstiles located in the cash register areas;

b.  allowing access from one area to another, including in areas that were not paid in the original ticket (access to a new area can be charged additionally, according to the access rates, by its registration on the bracelet);

c. securing the assigned locker room (closing/opening it), as well as the storage places assigned for electronic devices;

d. recording information regarding the products and services purchased using the bracelet (date and time of purchase, place where payment was made, name of products and services, etc.);

e. investigating and resolving complaints related to the use of Therme facilities. (The information collected through the bracelets may also be combined with other information we have about you, collected automatically or by manual means, for fulfiling the purposes mentioned);

f. paying the consumption recorded on the bracelet at check-out;

g. establishing the occupancy rate of the Therme Bucharest resort, etc.

Apart from those mentioned, other personal data may be: the bracelet number, the locker room number and its location, the bracelet status (active/inactive), records regarding passes from one area to another (date, time). Depending on the type of bracelet (green/blue/yellow/black/with locker room/without locker room, etc.) and the allowed areas, the age categories of customers can also be identified.

Using bracelets also helps in creating a pseudonym for your identity when accessing the facilities of Therme Bucharest.

The legal grounds for data processing in this regard are the agreements between you and Therme (for services provision), the fulfillment of legal obligations (with regard to the protection of goods and persons) and the legitimate interest of Therme (with regard to resolving complaints, recovering damages, etc.). Personal data are kept only for the necessary period in accordance with the processing purposes.

6.  Providing information regarding the issuance of financial and accounting documents , such as: payment orders, collection orders, receipts, tax receipts, non-tax receipts, invoices, protocols (statement, delivery-receipt of money amounts or vouchers, etc.); financial commitment for damage payment, financial commitment for consumption payment, cancellation form or other supporting documents.

The data processed in this regard refer to the identification data and contact details on your national identity card and its copy (only when this is absolutely necessary for the fulfilment of our legal obligations), financial data (related to paid or payable amounts), information regarding the services provided, and the details of the visit at Therme Bucharest (e.g., date of visit, check-in/check-out time, areas accessed, etc.)

Therme processes the data based on our mutual agreement, with respect to fulfilling its legal obligations for financial-accounting purposes, but also for protecting its legitimate interest, when processing is carried out in order to recover a damage caused by you.

Therme has updated its forms through which these data are collected so that they contain all the necessary information that you need to know about the processing of personal data.

7.  At the time of the visit, when filling out various printed forms, such as:

a. suggestions and complaints form, by providing contact details such as first and last name, telephone number, e-mail address, signature, or any other relevant information related to the reported situation. Thermal processes these data for purposes related to managing suggestions and complaints, by carrying out activities such as: document processing and registration, communications with you during investigations, additional internal checks, claim settlement, submitting response to you, submitting response to relevant authorities (if applicable), etc. The data are kept for a period of 3 years from the last communication regarding the resolution of your case.

b.  lost object form, by which you provide to Therme the following personal data: first and last name, number and series of the identity card, telephone number, e-mail address, detailed description of the lost items, area, estimated date and time regarding the loss of the item. Therme processes these data following the request and based on your consent, in order to comply with legal obligations and, where appropriate, to protect the legitimate interest of Therme. The data are kept for a period of 3 years from the last communication regarding the resolution of your case.

c.  commitment for outside-purchased food, which you must fill out when you want to consume food products which are not purchased from Therme (e.g., cake, if birthday parties are organized). The data are processed by Therme in order to ensure food safety, pursuant to the legal provisions of Ordinance 21/1992, including its subsequent amendments. The data processed are your first name, last name, address and signature, and they are kept for 30 days.

d. commitment statement which you must fill out, as a chaperone, when visiting us with a group of children, in order to supervise and guide them during their visit at Therme Bucharest. The data processed are: first name, last name, your capacity with respect to the children (teacher, parent, guardian, etc.) and signature. The statement also contains the list with the names of the children whom you commit to take care of. Processing is aimed at ensuring the health, security and safety of the children. Therme collects the data based on your consent given when signing the statement and retains the information for 30 days based on its legitimate interest.

With regard to the personal data processing of the children you accompany, please inform their parents/legal guardians about the data processing done by Therme in accordance with this Privacy Policy.

8.  With regard to the use of healthcare services at first aid stations within Therme Bucharest.

First aid stations located within the Therme resort carry out their activities pursuant to GD 1136/2007 - Methodological norms from 18.09.2007 (Romanian Law) on the setup of aquatic public rescue services - lifeguard, and of the location of first aid stations, regulations which are applicable to all economic operators who are managing beaches, public swimming pools, water parks or marinas, located in natural or designed inland waters. Therme collects your medical data with a view to fulfiling legal obligations, but also for performing our mutual agreement, which provides for compliance with the Rules of Procedure and Use of swimming pools and attractions.

Therme processes your personal data regarding your health status:

a.  if you have suffered an accident and you are given first aid (collecting data on your health); or when you ask for services provided at first aid stations for various health problems, which are not always a medical emergency.

b.  when Therme asks you to disclose data about your health, with regard to complying with the Rules of Procedure and Use of swimming pools and attractions, in order to protect the health of both you and other visitors.

c.  by filling out the first aid form to record all necessary and relevant data regarding the reason for the provision of medical care, for further investigations done by medical facilities (e.g., hospitals, family doctors, etc., upon your request), or for protecting the legitimate interest of both you and Therme, regarding the medical care provided, e.g., when the data are required for investigating and resolving a complaint.

d.  By transmitting the necessary data about your health status to the ambulance service (when necessary, based on your consent, or without your consent, based on your vital interest, when you are physically unable to give your consent).

Personal data collected in view of the processing of medical data, contained in the first aid form, are:

a. identification and contact data, age and gender.

b. details of the incident, if applicable (location, time and incident background);

c. medical findings regarding the reason for providing medical assistance;

d. statement regarding allergies;

e. details regarding the medical care provided (treatment, recommendations given by the medical assistant, etc);

f.  signature;

Data concerning persons under 16 years of age are provided only based on the agreement given by a parent/guardian/chaperone over 18 years old.

For minor incidents, Therme keeps first aid forms for no more than 30 days. For serious accidents, or for those to which Therme must provide a response following a complaint which you filled out, the retention period may be extended up to 3 years after our last communication with you or after the complaint has been resolved.

Therme pays particular attention to the processing of sensitive personal data and has taken additional protective measures to prevent security incidents. Therme also carried out an analysis of the impact on data protection in order to identify and mitigate the risks associated with the processing of these data categories.

9.  When providing appointment data for massage facilities, Therme processes your first name and access bracelet number. The data are deleted periodically, no later than 2 months after the service provision. The legal basis is the agreement between you and Therme for the provision of massage services.

10.  In view of using the Therme data network

Therme manages a Wi-Fi data network dedicated to visitors that can be accessed inside the Therme Bucharest resort during visits. Access to the network is done upon creating an account that will allow you to connect in optimal security conditions.

Based on your consent, in order to create an account and use the Wi-Fi data network, Therme will process the following data categories: first and last name, e-mail address, phone number, device data (IP address, MAC address, type of device, type of operating system, type of browser, network to which it has connected, etc.).

The purpose of the processing is also to prevent illegal activities carried out through the data network. Therme will keep the data processed for a period of 1 year based on its legitimate interest and may disclose them to the relevant authorities at their request, under the conditions provided for by law.\

11.  If you are a service provider having a business relationship with Therme and carry out activities within the resort, Therme collects your data for the purpose of ensuring health and safety at work in order to fulfill its legal obligations. The data collected are: first and last name, date of birth, profession, and your signature, by filling out the given register. The aforementioned data are kept for the duration of the service agreement and after its termination according to internal data storage criteria, based on the legitimate interest of Therme.

12. In light of preventing and countering SARS-CoV-2 virus

Pursuant to legal provisions, Therme has implemented measures that help prevent and counter the spread of the SARS-CoV-2 virus within the Therme Bucharest resort, by developing and installing an epidemiological triage system located at the resort entrance, in order to identify possible associated risks.

 The epidemiological triage is carried out in two stages:

a. by filling out a form regarding your health status, such as: symptoms or if you have had contact with people diagnosed with SARS-CoV-2 virus within the last 14 days, etc., which helps Therme identify the risk that you pose with respect to the infection with SARS-CoV-2 virus (the form does not require your identification data).

Each adult will be required to fill out the epidemiological form, and for children up to 16 years old, accompanying adults will be required to fill it out;

Upon validating the access form, you will receive a QR code on paper, which will contain the information filled out in the form. You are required to keep the QR code and hand it to the staff of the Cashiers department, upon receiving the access tickets;

b. temperature checks at marked crossing points.

If the answers to the access form allow moving on to the next step, you will be directed to the thermometry points.

Temperature data are not recorded. The result of the temperature measurements will be shown on a display facing you, and the displayed temperature will be the result of measurements from two independent systems; Access inside the resort will be granted to customers who have a measured temperature ≤ 37.3℃.

If the measured temperature is > 37.3℃, the persons will be directed to a secondary additional check point, where the medical staff will measure the temperature after 3-5 minutes of rest, by using a contactless thermometer.

The processing of the data provided is carried out in order to comply with the measures imposed by the authorities on preventing and countering the spread of the SARS-CoV-2 virus.

Therme keeps the QR code, which contains the data which you filled out for 30 days. The data are anonymous, but can be combined with other personal data, which you provide directly or indirectly during your visit to Therme Bucharest (e.g., date and time of visit, areas accessed, services used, etc.), for the purpose of identifying you, only when requested by the Public Health Authority or other relevant authorities.

After the aforementioned retention period has expired, the data are deleted from Therme systems and your identification for the aforementioned purposes is no longer possible.

The legal basis of the processing is art. 9.2. para. (g) of the GDPR regarding the need for processing for reasons of substantial public interest in the field of Public Health and art. 6.1. para. (c) of the GDPR for the fulfillment of legal obligations, according to the provisions of the Order of the Minister of Health and of the Minister of Internal Affairs no. 874/81/2020 on mandatory wearing of the protective mask, epidemiological triage and mandatory hand disinfection to prevent contamination with SARS-CoV-2 virus during the state of alert, with subsequent amendments, or according to other regulations established by the authorities in relation to this subject. The data retention for the aforementioned period is also carried out based on the legitimate interest of Therme in proving compliance with legal obligations.

Therme has taken all appropriate, technical and organisational measures to ensure that the data are accessed only by authorised persons and only when it is imperative.

13. Other cases in which Therme processes personal data:

a. when visiting the Therme Bucharest resort (not acting as a customer), Therme may register your first and last name in the visitor register, according to its internal security procedures.

b. for archiving purposes, according to the limitation periods regulated by the national and European legislation;

c.  for managing financial transactions between you and Therme;

d. for protecting Therme's rights in court.

Therme may also inform you about the processing of your personal data through alternative or additional methods, verbally or in writing, by:

a.  your interacting with Therme staff;

b.  filling out various electronic or printed forms;

c.  e-mail or phone;

d. competition regulations (for marketing campaigns)

e. other means, depending on the processing background;

14. Other data operators that may process your data within the Therme Bucharest resort

a. Taxi companies by your using information systems which are located in the cash register area for sending taxi orders.

b.  Media, by creating photo, audio-video materials for journalistic purposes.

c.  Partners who have a contractual relationship with Therme and carry out their activity in order to organize events, TV productions, promotions of products and services, for their own purposes.

Data controllers who process your data for their own purposes, such as those mentioned above, are required to fulfill all legal obligations with respect to you, in accordance with legal data protection regulations.

To whom do we disclose your personal data?

For fulfilling the processing purposes, Therme may disclose your data to its legal representatives, service providers, partners or other third parties who assist Therme in its activities in areas such as: marketing, IT, financial-accounting, legal, security, audit, etc.

They carry out activities such as:

a.  organizing and managing marketing activities; (marketing campaigns, commercial communications, organizing events, activities promoting Therme, etc);

b.  developing, maintaining, managing and granting technical support with regard to information systems;

c.  maintaining, customizing, managing and improving the website, applications and services performed through them;

d.  performing data analysis, testing and research, monitoring usage and activity trends, developing safety features and user authentication;

e. legal advisory;

f.  accounting and financial advisory;

g. audit;

h. market studies and analysis, data analysis, testing and research.

Personal data are generally processed throughout Romania and within the European Economic Area, in countries such as Germany or Austria, according to the provisions of the GDPR, in full security conditions.

To the extent that it is necessary to transfer your data to third countries that are outside the jurisdiction of the GDPR, Therme will ensure that the transfer will be carried out pursuant to the regulations of articles 45-49 of the GDPR.

Where necessary, data transfers to service providers or other third parties will be protected by contractual arrangements (according to art. 26 and art. 28 of the GDPR) and, where appropriate (for international transfers to countries that do not provide an adequate protection level), through other guarantees, such as standard contractual clauses issued by the European Commission.

In these cases, Therme will always take steps to ensure that any international transfer of personal data is handled carefully in order to protect your rights and freedoms. 

What are your rights?

Under the conditions provided for by the legislation on the processing of personal data, as a data subject, you benefit from the following rights:

a.  the right to be informed, i.e., the right to receive details regarding the processing activities carried out by Therme, as set out in this document;

b.  the right to obtain access to data, i.e., the right to obtain confirmation from Therme regarding the processing of personal data, as well as details of the processing activities, such as the way in which the data are processed, the purpose for which the processing is carried out, the recipients or categories of data recipients, etc.;

c.  the right to rectification, i.e., the right to obtain from Therme the rectification, without undue delay, of inaccurate/unjustified personal data, as well as the completion of incomplete data; the correction/completion will be communicated to each recipient to whom the data were transmitted, unless this proves impossible or involves disproportionate efforts.

d.  the right to erasure, without undue delay, (“right to be forgotten”), if one of the following grounds applies:

  • they are no longer needed to fulfill the purposes for which they were collected or processed;
  • if you have withdrawn your consent and there is no other legal basis for the processing;
  • if you object to the processing and there are no legitimate grounds which prevail;
  • if personal data have been processed illegally;
  • if personal data have to be deleted in order to comply with a legal obligation;
  • personal data have been collected with respect to the provision of information society services under the European Union or national law to which Therme is subjected.

Following your request to delete the data, Therme may anonymize these data (thus depriving them of their personal character) and continue the processing for statistical purposes in these conditions;

e.  the right to restriction of processinginsofar as :

  • you challenge the accuracy of the data, for a period that allows us to verify the data correctness;
  • the processing is illegal and you object to the erasure of personal data, requesting instead to restrict their use;
  • Therme no longer needs the personal data for the purpose of processing, but you request it for establishing, exercising or defending a right in court; or
  • you have objected to processing (other than direct marketing purposes), for the time period in which a verification is conducted to check if Therme's legitimate rights prevail over your rights.

f.  the right to data portability, i.e., (i) the right to receive personal data in a structured, commonly used and machine-readable format, as well as (ii) the right that such data be transmitted by Therme to another data controller, to the extent that the conditions laid down by the law are met;

g.  the right to object - with regard to processing activities can be exercised by submitting a request as shown below:

  • at any time, for reasons related to the particular situation in which you are, for data concerning you to be processed on the basis of Therme's legitimate interest or on the basis of public interest, unless Therme can prove that it has legitimate and compelling reasons justifying the processing, which prevail over your interests, rights and freedoms, or that the purpose is to determine, exercise or defend a right in court;
  • at any time, free of charge and without any justification, that the data subject to the person be processed for direct marketing purposes.

h. the right not to be subject to an automated individual decision-making, i.e., the right not to be subject to a decision based solely on automated processing activities, including profiling, which produces legal effects that concern or similarly affect you to a significant extent;

i.  the right to contact the National Supervisory Authority for the Processing of Personal Data or the competent courts, insofar as you deem necessary, directly on the website of the authority: www.dataprotection.ro.

How can you exercise your rights?

Should you choose to exercise any of your rights related to the processing of personal data done by Therme, to obtain further information or clarification regarding the processing of your personal data, please contact Therme at the e-mail address: dataprotection@therme.ro

Therme provides information on the processing of personal data free of charge based on a request, without undue delay, within no more than 30 calendar days from the date the request was registered. Depending on the complexity of the information requested, this deadline may be extended by 60 days by informing you of the reasons for extending the original deadline. For requests received in electronic format, the information will be provided in electronic format, unless you request the information in another (printed) format. Should you request the same repetitive, excessive information or information without legal basis from us, Therme may refuse to provide the information.

Depending on the nature of your request, Therme may ask you for additional information containing personal data, only if it is necessary to identify or investigate and resolve your request.

Updating the Privacy Policy

Therme may update and modify the Privacy Policy to cover all changes regarding the manner in which your personal data are processed, as well as changes in legal requirements regarding the processing of personal data.

 

Please visit this page on a regular basis to ensure that you always have up-to-date information.

 

Last update: June 2021