The General Policy On The Protection Of Personal Data

WHO WE ARE

The Company MEDUSA HOTEL INTERNATIONAL S.R.L. (”MEDUSA”), with the registered office in Bucharest, str. Jandarmeriei, nr. 14A, sector 1, registered with the Companies Register under the no. J40/211297/1994, Tax Identification Code RO 6505878, Telephone: (+40) 744.332.155, Website: http://www.stejariicountryclub.ro, e-mail: office@stejariicountryclub.ro, the Data Protection Officer’s email: dpo@stejariicountryclub.ro, is a personal data controller collecting such data while carrying out its legitimate business.

MEDUSA collects data in several modes and ways: when you contact us by phone or email, when you visit our website, when you request us a quotation, when you sign with us a subscription or when you file a request with us. We also collect data when you visit our head office, as well as when you send us CVs or applications for a job.

DEFINITIONS

Personal Data (Data) – means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Special categories of personal data – any information disclosing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Personal Data Processing (Processing) – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subject – a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controller – natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data; where the purposes and means of such processing are determined by the Union or domestic law, the controller or the specific criteria for its nomination may be provided for by the Union or domestic law.

Processor – the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement of by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Pseudonymisation –  means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. The principles on the processing of personal data apply to the pseudonymised data, as they represent personal data.

Anonymisation – means the processing of the personal data in such a manner that it is irreversible and which transform the data so that the data subject is not or no longer identifiable. The principles on the processing of personal data do not apply to the data rendered anonymous, as they no longer represent personal data.

ANSPDCP – means the independent public authority from Romania, respectively the National Authority for the Surveillance of Personal Data Processing.

GDPR – The Regulation  (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

 

OUR VISION ON THE PROCESSING OF PERSONAL DATA AND MEDUSA’S ENGAGEMENTS

The processing of personal data within MEDUSA is always subject to the following principles:

  • The data will be processed lawfully
  • The data will be fairly processed
  • We inform the data subjects on what data we process, why, how and for how long we process them, whether and to whom we transfer them, as well as on the rights they have in relation to their data
  • The data are collected for specified, explicit and legitimate purposes and they are not further processed in a manner that is incompatible with those purposes
  • The data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • We endeavour to use  only accurate data and where necessary, we try to keep them up to date
  • The data are kept in a form which enables the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; the personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the suitable technical and organisational measures
  • The data are processed in a manner that ensures suitable security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using suitable technical or organisational measures

MEDUSA provides that it complies with such principles in terms of its current activities, as well as if it implements  in the future new data processing technologies, such as, but not limited to, new IT systems.

 

WHAT PERSONAL DATA WE PROCESS

Throughout MEDUSA’s activity, the data subjects are informed every time we collect and process  personal data (for example, upon sending an inquiry or quotation, upon entering into of a contract, upon receiving a CV, etc.).

WHY AND HOW WE USE THE PERSONAL DATA CONCERNING YOU

The personal data concerning you are used in order to carry out our business, including in order to prepare offers, to enter into subscription contracts, to provide you with services, to provide you with information on our events and activities and those ones of our partners, to comply with our clients’ requests, to be subject to mandatory or recommended verifications, to comply with the requests of the competent authorities monitoring  and regulating our business.

We also process personal data in order to provide the security of premises where we carry out our business, of the goods we use to this purpose, the safety of our employees and of the data and information we manage.

The personal data concerning you are processed by collection, recording, organization, storage, alteration, consultation, use, disclosure by transmission, making available, combination, restriction, erasure, destruction and so on.

The personal data concerning  you will not be subject to an automated decision-making (including profiling), but in exceptional cases, in which case the data subject is informed on its existence, as well as on the details related to this special mode of processing.

For instance, please see our Cookies Policy and other online identifiers in order to find further information on our profiling and in order to render your opinion to this purpose.

 

ON WHAT GROUNDS WE USE THE PERSONAL DATA CONCERNING YOU

MEDUSA aims at processing the data taking into account at least one of the legal grounds listed hereinafter:

  1. a) The consent – If there is no other legal ground for the processing mentioned below, MEDUSA will always procure the consent of the data subject for the processing of the personal data concerning him/her for one or several specific purposes.
  2. b) The performance/ entering into of a contract – The processing is required for the performance by MEDUSA of a contract to which the data subject is party or for proceeding at the data subject’ s request before entering into a contract.
  3. c) Legal obligation – The processing is required for the purposes of complying with a legal obligation incumbent upon MEDUSA.
  4. d) Legitimate interest – The processing is required for the legitimate interests pursued by MEDUSA or by a third party, pursuant to law. For instance, in case of recording the phone calls, MEDUSA has a legitimate interest for evidence purposes or for the purposes of improving the provided services.
  5. e) Vital interest – The processing is required in order to protect the vital interests of the data subject or of other natural persons.
  6. f) Public interest – The processing is required for carrying out a task serving a public interest or arising from the exercise of the public authority which the controller is invested with.

As for the special categories of personal data, MEDUSA complies with the applicable legal provisions in order to provide at all times a valid legal ground for the processing.

 

TO WHOM WE TRANSMIT THE PERSONAL DATA CONCERNING YOU

It is possible that the personal data concerning you be transmitted to some third parties- companies which we collaborate with in order to provide you with full services, for instance, beauty services, marketing companies, auditing companies, outsourced companies for IT services, competent authorities, etc . Whenever we do so, we provide that it is duly reasoned, that we transmit solely the data strictly required for the purpose of the transmission and we endeavour to provide that the recipient provides a high standard of protection to the personal data.

If the data are processed by a third party provider/supplier/partner/agent for the controller MEDUSA under a service contract whatsoever between MEDUSA and such third party (acting as processor in terms of GDPR), such contracts are entered into in written form and include a series of specific clauses, under which such third parties would provide MEDUSA with sufficient safeguards for the implementation of suitable technical and organizational measures, so that the processing would complies with the requirements provided for in  GDPR and provide the protection of the data subject’s rights.

The personal data may be transferred to an international organization or to a third state in relation to EU and EEA (EEA includes both EU and Island, Liechestenstein and Norway) solely if such organization or state to which the transfer is contemplated may provide a suitable level of protection as per the requirements in  GDPR.

The transfer of data to an international organization or to a state whose legislation does not provide an suitable  level of protection, acknowledged under an adequacy decision issued by the European Commission, is possible solely if there are sufficient safeguards in relation to the protection of the fundamental rights of the data subjects and provided that the data subjects have effective remedies at law and opposable rights . Such safeguards are established by  MEDUSA, as per  GDPR, in contracts/ agreements entered into with suppliers/ service providers to which the data are transferred or in other legal way, from case to case.

 

FOR HOW LONG AND HOW WE PRESERVE THE PERSONAL DATA CONCERNING YOU

We preserve the personal data concerning you as long as we need them or for the period provided for by the effective law. We provide in the Information Notes and our Consent Forms, as well as in contracts, actual information on the retention periods applicable to each separate case.

All this while, we provide that the data are preserved in safety and in case of some security breaches, we are prepared to implement all the technical, organizational and legal measures in order to limit the possible consequences and inform ANSPDCP, as well as the data subjects, if there are any risks to them.

Insofar as it is possible, we render anonymous the data that are no longer necessary in a way enabling  the identification of the data subjects or we implement the pseudonimysation in order to limit the risks related to the processed personal data.

 

WHAT RIGHTS YOU HAVE IN RELATION TO THE PERSONAL DATA CONCERNING YOU PROCESSED BY US

A. The Right of Access to Data

Any Data Subject has the right to obtain from MEDUSA, when it acts as controller, at request and free of charge for one request per year, the confirmation as to whether or not the data concerning him/her are being processed and where that is the case, there will be provided information related to: the purposes of the processing; the categories of data concerned; the recipients or categories of recipients, in particular recipients in third countries or international organisations, as well as the  proper warranties provided in case of such a transfer of data; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from MEDUSA the rectification or erasure of the data or the restriction of their processing or the right to object to such processing; the right to lodge a complaint with  ANSPDCP; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, as well as meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject.

B. The Right to Rectification

The data subject has the right to obtain from  MEDUSA, as controller, without undue delay the rectification of inaccurate personal data concerning him/her.

Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

C. The Right to Erasure („The Right to be forgotten”)

The data subject has the right to obtain the erasure of personal data concerning him/her without undue delay and  MEDUSA shall have the obligation to erase the data without undue delay if:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or processed;

b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

c) the personal data have been unlawfully processed;

d) the data subject objects to processing as per GDPR;

e) the data have to be erased for compliance with a legal obligation of the controller;

f) the personal data have been collected in relation to the offer of information society services to the underage children as per GDPR;

g) the personal data have been collected in relation to the offer of information society services to children as per GDPR.

MEDUSA, as controller, may refuse the request of data erasure in the following cases:

a) the processing is necessary for exercising the right of freedom of expression and information;

b) the processing is necessary for compliance with a legal obligation to which the controller is subject;

c) the processing is necessary for reasons of public interest in the area of public health, under the restrictive conditions required by GDPR;

d) the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, as per GDPR, insofar as the exercise of the right is likely to render impossible or seriously impair the achievement of the objectives of that processing;

e) the processing is necessary for the establishment, exercise or defence of legal claims.

D. The Right to Restriction of Processing

The data subject shall have the right to obtain from MEDUSA, as controller, restriction of processing in the following cases:

a) the accuracy of the data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) MEDUSA no longer needs the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject;

e) the data subject that obtained the restriction of the processing is notified by MEDUSA before the removal of the restriction to processing.

E. The Right to Object

The data subject has the right in relation to MEDUSA:

a) to object at any time, on grounds relating to his/her particular situation, that the data concerning him/her be the subject of a processing based on the public interest or legitimate interest. In case of objection, the processing cannot longer refer to such data unless there are compelling and legitimate grounds for the processing which override the rights of the data subject or for the establishment, exercise or defence of legal claims.

b) to object at any time, free of charge and without any cause, that the data concerning him/her be processed for direct marketing purposes, including profiling to such purpose.

F. The Right to Data Portability

The data subject has the right in relation to MEDUSA to receive – in a structured, commonly used and machine-readable format – the personal data concerning him/her and that he/she provided to the Company and the right to transmit them to another controller where:

a) the processing is based on consent or on a contract; and

b) the processing is carried out by automated means.

In exercising his/her right to data portability, the data subject has the right to have his/her data transmitted directly from MEDUSA to another controller where technically feasible.

G. The Right Not to Be Subject to an Automated Decision (including profiling)

To this purpose, the data subject has the right in relation to MEDUSA not to be subject to a decision based solely on automated processing (including profiling) and which produces legal effects concerning the data subject or significantly affects him/her.

This right shall not apply in the following exceptional cases in which the automated decision:

a) is necessary for entering into or performance of a contract between the data subject and MEDUSA;

b) is authorised by the Union law or the domestic law to which MEDUSA is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

c) is based on the data subject’s explicit consent.

 In the cases referred to in the points  a) and c) of this paragraph, MEDUSA must implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his/her point of view and to contest the decision.

H. The Right to Withdraw Consent

Where the processing of data is based on your consent, you may withdraw your consent, in which case we no longer process the personal data concerning you. The withdrawal of the consent will not affect the processing carried out by that time.

As a data subject, you have the right to request access to the personal data that we might have on you, as well as to request their rectification or erasure, the restriction of processing of the personal data concerning you, the data portability, you have the right to object to processing of your personal data, as well as the right not to be subject to a decision based solely on automated processing (including profiling).

Moreover, if you gave in the past your consent to the processing of the personal data concerning you and you want to withdraw it, you may use the below form.

If you want to submit any of the said requests, please download this form, fill it out and send it to us by email to the address  dpo@stejariicountryclub.ro.

Please add to the subject of the email, where applicable, the phrase  ”Cerere retragere consimtamant”/”Cerere de acces date”/ ”Cerere rectificare date” / ”Cerere stergere date”/„Cerere restrictionare prelucrare”/”Cerere portabilitate date”/”Obiectii prelucrare date”/”Cerere de pentru non-prelucrare automata” (“Request for Consent Withdrawal/ “Request for Access to Data”/ “Request for Rectification of Data”/ “Request for Erasure of Data”/ “Request for Restriction of Processing/ “Request for Data Portability”/” Objections to Processing of Data”/ “Request for Not Being Subject to Automated Processing”)

Download here: 

DATA-RELATED REQUEST FORM

 I. The Right to Bring a Legal Action and/or Lodge a Complaint with ANSPDCP 

The data subject whose personal data are processed by MEDUSA has:

  1. a) the right to lodge a complaint with ANSPDCP (the National Authority for the Surveillance of Personal Data Processing, head office: Bucharest, Bdul Gen. Gheorghe Magheru nr. 28-30, sector 1, CP 010336; Telephone: +40.318.05.92.11, Fax: +40.318.05.96.02 email: anspdcp@dataprotection.ro, website: dataprotection.ro) if the data subject considers that the personal data concerning him/her are processed with the violation of GDPR;
  2. b) the right to bring a legal action if the data subject considers that the personal data concerning him/her are processed with the violation of GDPR.