Informative Notice regarding the protection of personal data
XD
CORVINUS INTERNATIONAL SRL (hereinafter referred to as “CAPITAL PLAZA”), with registered office in 54, Iancu de Hunedoara Blvd., Bucharest, District 1, registered at the Trade Registry under no. J40/5905/2004, URC 16327042, as owner operator of the “Capital Plaza” Hotel, respectively of the website www.capitalplaza.ro, complies with the privacy and security of personal data when processing the data of each person using the services of Capital Plaza Hotel and/or accessing the website. For this purpose, we make every effort to ensure that the information that is entered into our databases is used only for determined, explicit and legitimate purposes.
Definitions:
ANSPDCP = the National Supervisory Authority for Personal Data Processing;
“personal data” means any information related to an identified or identifiable person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, particularly by referring to an identification element, such as a name, an identification number, location data, an online identifier, or one or several elements specific to his/her own physical, physiological, genetic, mental, economic, economic, cultural or social identity;
“processing” means any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as the collection, recording, organization, structuring, storage, adaptation or amendment, removal, consultation, use, disclosure by sending, sharing or making available in any other method, alignment or combination, restriction, deletion or destruction;
“restriction of processing” means the marking of stored personal data in order to limit their future processing;
“controller” means a natural or legal person, public authority, agency or other body which, alone or together with others, establishes the purposes and means of processing personal data; where the purposes and means of processing are determined by EU or national law, the controller or the specific criteria for its appointment may be provided the EU or national law;
“processor” means a natural or legal person, a public authority, an agency or another body that processes personal data on behalf of the controller;
“recipient” means the natural or legal person, public authority, agency or other body to whom/which personal data are disclosed, whether or not he/she/it is a third party. However, public authorities to which personal data may be communicated in a particular investigation under the EU or national law shall not be considered as recipients; the processing of such data by the respective public authorities observes the applicable data protection rules, according to the purposes of the processing;
“Consent” of the data subject means any manifestation of the free, specific, informed and unambiguous will of the data subject by which he/she/it accepts, through a statement or an unequivocal action, the processing of his/her/its personal data.
All our personal data processing activities observe the following principles:
are processed legally, fairly and transparently (“legality, fairness and transparency”)
are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with these purposes (“purpose limitation”)
are appropriate, relevant, and limited to what is required in relation to the purposes for which they are processed (“data minimization”)
are accurate and, if necessary, updated (“accuracy”);
are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
Types of processed personal data
In providing hotel services and organizing events for clients, CAPITAL PLAZA processes the following types of personal data:
a. data required to make reservations (e.g. surname, first name, e-mail, phone number);
b. the dates of the arrival/departure sheet required under national law (e.g. citizenship, address, date of birth);
c. bank card details (card type, credit/debit card number, holder’s name, expiration date, and security code);
d. customer stay information, including arrival and departure dates, special requests, preferences;
e. the information you provide about your marketing preferences;
f. the personal data you provide to register and subscribe to the newsletter;
g. information about the vehicles you may bring on our property, such as the registration number;
h. data collected from access cards (time of entry and exit);
i. information collected by various contractual partners (travel agencies, event organizers) and transmitted to CAPITAL PLAZA (rooming list, event guest list);
j. data necessary to provide additional services, according to the case;
k. reviews and opinions about our services;
l. any other information you choose to provide us with.
A special category of personal data includes racial or ethnic origin, political opinions, religious confession or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data, health data, or data on sex life or sexual orientation.
Generally, we do not collect special information, unless you want to provide us with it. We collect special data concerning health only on grounds of your consent and only to customize the menu and prevent triggering an allergic reaction.
Also, surveillance cameras and other security measures on our properties may capture or record guests’ images in public places (such as the hotel, restaurant or hallway entrances) as well as your location data (through the images captured by surveillance cameras).
You can always choose which personal data you want to provide us with. However, if you choose not to provide certain personal data, if the grounds of our request is to comply with a legal obligation, contractual obligations or obligations required to conclude a contract, we shall be unable to provide you with certain services, for example: (i) if you do not wish to give us your surname, first name, e-mail address or phone number, if you wish to make a reservation, we shall not be able to make the reservation, or (ii) considering the fact that in the arrival and departure sheet that you fill out at check-in, you shall be required to enter some mandatory personal data required by law, and if you do not want to fill in those mandatory fields, we shall not be able to allow you to check into our hotel.
If you are a representative or contact person of our suppliers or business partners, we collect the surname, first name, position, and any other data provided by you or the company that you represent.
If you are under the age of 16, you must obtain the parental or guardian’s consent or authorization for any personal data you provide.
If you are applying or intending to apply for one of the vacant positions published by CAPITAL PLAZA on various channels, we usually collect the following types of personal data:
Job and formal education history;
Professional skills, abilities;
Date of birth, age;
Citizenship and ability to perform paid work on Romanian territory;
Information provided during interviews that may contain own experiences, performance, personal history data, etc.
Information provided by references;
the information contained in your resume and the resume itself;
information you provide about your career interests and other information about your employment qualifications.
You provide these data voluntarily in a recruitment process you enter voluntarily. Also, as a candidate for a job published by CAPITAL PLAZA, you determine the complexity of the provided information. Also, to the extent that information is not provided or misrepresented, it may affect our ability to consider an individual in a recruitment/employment process or to provide relevant employment opportunities. In addition, it is mandatory to provide accurate personal data and evidence of these data, otherwise the labor agreements are considered null and void.
If you are a visitor to our location, we collect the surname, first name, ID series and number. Surveillance cameras may also capture or record visitors’ images in public places (such as the hotel, restaurant or hallway entrances).
The purpose of the processing
CAPITAL PLAZA processes your personal data for the following purposes:
making and confirming reservations upon your request
providing information on commercial offers/services;
taking the necessary steps to conclude an agreement;
answering questions and requests;
defending against cyber attacks;
for marketing activities, with your consent;
providing and improving the services we offer;
Personal data collection method
We collect personal data in various ways and on multiple channels, such as:
in electronic format via email, through the website www.capitalplaza.ro
through the communication channels associated with the social media apps Facebook, LinkedIn, Twitter, etc.;
through recruitment facilitation platforms: bestjobs, ejobs, linkedin, etc.;
during our interactions with our clients and suppliers
The legal ground for the processing
With respect to the data voluntarily provided to us by filling out and submitting the forms or by contacting us in any way, the legal ground is “to take steps at the request of the data subject prior to entering into a contract” (Article 6, paragraph 1, letter b of Regulation (EU) 679/2016).
Also, tourist accommodation is regulated by the rule regarding the access, records and protection of tourists in tourist reception structures from 08.02.2001 (as subsequently amended and supplemented), which states:
“Art. 2. -
(1) The administrators of tourist reception structures are obliged to ensure the registration of all tourists in the operative records, upon their arrival, and the filling in of the form “Arrival and departure notification form”.
[...]
(4) Each tourist shall fill in the sheets at the time of arrival, based on their identity documents, which, for Romanian citizens, are: identity bulletin/card and passport, seaman or pilot license; for foreign citizens, these are: passport, identity card, temporary pass, border traffic permit, seaman or pilot license, and for conscript military men/women and the students of military educational institutions, these are: identity bulletin/card or, where applicable, military identity papers (service card or ID card).
(5) It is forbidden to accommodate any person that does not have an identity document.
(6) The arrival and departure notification sheets, filled out and signed by the accommodated tourists, are taken over together with the identity documents by the receptionists, who are obligated to corroborate the data in the sheets with those in the identity document, to sign the sheets in order to confirm their accurate content and immediately return the identity documents to the tourists.
(7) The responsibility for the correct filing out of the arrival and departure notification sheets lies with the receptionists.
[...]
(9) The originals of the arrival and departure notification sheets, grouped in alphabetical order, are provided to the police daily.
(10) The copies of the arrival and departure notification sheets, grouped in the same way as the originals, remain with the tourist reception structures, with a 5 year archiving term.”
The personal data processing in the check-in process is based on the legal obligation of CAPITAL PLAZA.
According to the GDPR (applicable from 25 May 2018), the consent of the person is not required if the processing is necessary in order to take steps for entering into an agreement, the fulfillment of a legal obligation or the legitimate interest.
Regarding the data we automatically collect by using cookies or other similar technologies, the ground for processing is the consent. By accessing the website, the user validly consents to the processing.
The processing of personal data on grounds of consent is based on various marketing communications, such as the promotion of the CAPITAL PLAZA services and does not condition the provision of contractual services.
Personal data storage periods
Your personal data shall be retained by CAPITAL PLAZA for a period that does not exceed the period necessary to achieve the purposes described above and/or for any other period required by virtue of the applicable legal obligations.
The data contained in the accommodation sheet are stored for a 5 year period, according to the legislation in force.
The data contained in the fiscal invoices are stored for a 10 year period, according to the legislation in force.
International data transfers
In performing its activities, CAPITAL PLAZA does not intend to disclose or transfer the personal data of natural persons to third parties located outside the EEA (European Economic Area).
We have an obligation to disclose this information to the following entities:
Service providers. We can disclose the information to other companies that provide us with services and act as processors, such as the company that provides support services for the IT infrastructure of CAPITAL PLAZA. These entities are selected with great care, to ensure that they meet the specific personal data protection requirements. These entities have a limited capacity to use the information provided by us for purposes other than providing us with services;
Courts, prosecutors, police or other central and local public authorities, in order to comply with the law or in response to a mandatory legal procedure (court order, etc.);
Other parties, with consent or upon collected instructions In addition to the situations described in this informative notice, we may transmit the information to third parties, if the user consents or requests us to do so.
Your rights
CAPITAL PLAZA undertakes to comply with the requirements of the European Regulation 2016/679/EU (“GDPR”) and the rights of natural persons, namely:
Right of access - the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to those data and information on how the data is processed.
Right to data portability -the right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data directly to another controller, if technically feasible.
Right to object - the right of the data subject to object to the processing of personal data, where the processing is necessary for the performance of a task which is in the public interest or when the controller’s legitimate interest is taken into account. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data.
Right to rectification - correction, without undue delay, of inaccurate personal data stored. The rectification shall be communicated to each data recipient, unless this proves impossible or involves disproportionate (provable) efforts.
Right to erasure (“right to be forgotten”) - the right of the data subject to request the erasure of his or her personal data, without undue delay where one of the following grounds applies: they are no longer necessary for the purposes for which they were collected or processed; the data subject withdraws consent and there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation; the personal data have been collected in relation to the offer of information society services.
The right to restrict processing - the right exercised when the data subject contests the accuracy of the data, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
The right not to be subject to an automated decision-making process - in this sense, CAPITAL PLAZA does not use IT applications, algorithms, artificial intelligence or automation to make decisions that affect natural persons.
In order to exercise your rights, please submit your request to [email protected]
CAPITAL PLAZA has implemented organizational and technical security procedures to ensure the confidentiality, transparency, integrity and availability of personal data and to comply with the requirements of the European Regulation 2016/679/EU.
If you consider that your rights, granted by Regulation no. 679/2016, have been violated by CAPITAL PLAZA, you have the possibility to address the ANSPDCP by filing a complaint.
The ANSPDCP contact details are as follows:
Address: B-dul G-ral. Gheorghe Magheru 28-30
District 1, postal code 010336
Bucharest, Romania
Phone: +40.318.059.211
+40.318.059.212
Fax: +40.318.059.602
Email: [email protected]
Website: www.dataprotection.ro
This notice may be subject to updates without prior notice. We invite you to periodically review this section for up-to-date information about the types of personal data that are processed by CAPITAL PLAZA, and how they are used.
