Thank you for your interest in our services!

The security and confidentiality of your personal data are a priority for us. In this document you will find our Privacy Policy and Video Surveillance, completed with the Cookies Policy available on the website.

OPERATOR’S IDENTIFICATION DATA. CONTACTS

The operator that processes personal data through this web page is the company Apulum Turism SRL, with headquarters in APULUM TURISM SRL, with headquarters in Loc. Cluj-Napoca, Str. Fagetului 74 Cluj County, registered at ORC no J12/1553/2019, CIF RO 30511872

For any requests/reports/complaints regarding your personal data and additional information, you can contact us in writing, at the address of our headquarters or by e-mail to the attention of the Data Protection Officer, at welcome@hotelelania.ro

ESSENTIAL NOTICES, according to the definitions of European Regulation no. 679/2016 (GDPR)

“personal data” means any information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more many specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity;

“processing” means any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, erasure or destruction;

CONTENT AND PURPOSE SCOPE OF APPLICATION

Through this document, we ensure, for all visitors and users of this web page, information and obtaining evidence of express/implicit consent, deduced from the circumstances of browsing the site and the voluntary transmission of data to us, through the available/displayed communication channels.

The present provisions apply both to data processing carried out through this web page and to data processing through third-party pages/ways, in the context of which reference is made to them – example: recruitment notices published on third-party web pages/data processing through and in the context of online promotion and marketing activities/through social networks – direct/indirect processing through external sources that refer to this policy explicitly.

PERSONAL DATA COLLECTED DIRECTLY THROUGH THE WEB PAGE OR FROM THE ONLINE ENVIRONMENT, IN GENERAL

Processed data depends on the section/functionality accessed on the site, as well as on the way and purpose in which you communicate with us through the site:

Data collected through cookie modules, automatically when accessing/navigating in various sections/accessing various functionalities – for details, see the Cookies Policy.

Completing the contact form available on the site: name, surname, e-mail address, telephone number, gender (to the extent that it is implicit in the name or e-mail address).

Distinct from these, the data provided by the data subject voluntarily, without the request of the operator, by completing the space intended for the message itself (eg: date of birth/age/occupation/function/place of work, provided implicitly in the context of requests for information/offers for events ).

Sending messages of any type or making phone calls to the contact addresses displayed on the website (other than through the contact form): the contact data related to the chosen method of communication and, possibly, the gender, (to the extent that it is implicit in the name or e-mail address), any data provided in the message itself, name and surname, data related to submitted CVs, data regarding the position held within a company (in the case of company representatives who address collaboration initiatives), data deduced from the nature/purpose of the events for which offers/information are requested.

Issuance of booking requests through third-party tourism sites: name, surname, e-mail address, telephone number, card type, credit/debit card number, holder’s name, expiry date and security code, period of stay , (required), gender, (if it is implied from the first name/e-mail address),

For online group reservations, only the data of the person making the reservation is requested, indicating the number of people in the group, as well as the name and surname of those in the group. (If applicable, the age of the minors in the group will be specified).

When staying/using specific facilities and services at the location, additional data will be collected, to the extent strictly necessary.

In the case of events, as a rule, only the data of the organizer – specified above for reservations – will be collected, to which data related to the nature and purpose of the event can be added, unsolicited/inherently (events dedicated to a certain ethnic group/weddings, baptisms, festive days /position, workplace, occupation, profession in the case of teambuilding/profile conferences, etc.). There may be situations in which the verification of access to the event requires the use of the guest list (surname-surname). After the completion of the event, the list will be destroyed.

Subscribe to the newsletter/join our online community/activate the marketing cookies used by our website: e-mail – provided voluntarily, associated with a distinct and revocable consent – for details, see the Cookies Policy.

Sending requests/complaints/reports regarding personal data: name, surname, gender (to the extent that it can be deduced from the first name or e-mail), contact data related to the chosen communication method or other contact data (if wants to receive the answer in another way) and another identification attribute (only in the conditions described below, in the section Requests/complaints/reports regarding personal data)

Registration for promotions, contests and campaigns – under the processing conditions stipulated in the Official Regulations related to each event organized by the Operator.

Visiting and interacting with/Publishing testimonials in social networks managed by the Operator (Facebook, Instagram, LinkedIn, Youtube, TikTok): own user name on the page, public data associated with the personal page, accessible implicitly through interaction with the site, data contained in the actual message/images/videos voluntarily released publicly on these pages, which fall under the consent and responsibility of the person who releases them.

These data will be left on public display/deleted from the page, at the company’s disposal. You can delete any time/you can ask us to delete the information associated with/published on our pages at any time. We do not assume responsibility in relation to third-party downloads from our own pages.

These data will be left on public display/deleted from the page, at the company’s disposal. You can delete any time/you can ask us to delete the information associated with/published on our pages at any time. We do not assume responsibility in relation to third-party downloads from our own pages.

For more information on the data processing carried out through these pages, you can consult their own privacy policies.

BASIS AND PURPOSES OF PROCESSING

Data related to cookies – for details, see the Cookies Policy

Data related to the contact form sent through the site and messages of any type sent to the contact addresses displayed on the site:

• Basis – your consent, our legal or contractual obligation, our prevailing legitimate interest
• Purpose: for managing, solving, providing answers, investigating/using any requests/reports/complaints/offers received through the contact forms, for carrying out recruitment procedures, for engaging in negotiations on the received or requested collaboration offers/initiatives, to prove compliance in the execution of contracts/in compliance with consumer protection legislation, if the received communication falls within such spheres, to defend our rights and legitimate interests in case of disputes/correlative litigation, for presentation to the authorities upon request/ when required.

Data related to requests/complaints/reports regarding personal data

• Grounds: our legal obligation to respond and adopt the necessary measures, our legal obligation to produce and keep evidence of processing compliance, our prevailing legitimate interest
• Purpose: to ensure the effective exercise of your rights and legitimate interests regarding data processing, security and confidentiality and to fulfill our obligations and ensure the prevailing legitimate interest to avoid sanction by the supervisory authority, to defend our rights and legitimate interests in in case of disputes/correlative litigation, to be presented to in case of control by public authorities/at their request.

Data related to newsletter subscription/adherence to online marketing communications

• Grounds: your consent, our legal obligations to prove the compliance of the processing, our prevailing legitimate interest
• Purpose: to present and promote our products, services, collaborators, events and to build and maintain a community around common values, to defend our rights and legitimate interests in case of disputes/related disputes, to be presented to in case of control/request of public authorities.

Data related to testimonials / interactions in social networks

• Grounds: your consent, our legal obligations to prove the compliance of the processing, our prevailing legitimate interest
• Purpose: to promote our products, services, collaborators, events, through the positive feedback of former customers, to adjust our marketing approaches, to permanently improve our products and services, the development of collaborations of any type, security measures and policies and confidentiality, to defend our rights and legitimate interests in case of disputes/correlative disputes, to be presented to in case of control/request by public authorities.

Data related to electronic reservations

• Grounds: your consent, our contractual / legal obligations, our prevailing legitimate interest
• Purpose: to ensure the execution of the contractual commitments assumed towards you, to ensure the execution and prove the compliance of the activity carried out, according to the legislations incident to the nature of the service and the consumer quality of the service beneficiary, to defend our rights and legitimate interests in case of disputes/ correlative disputes, regarding the context of the lease, execution, termination of contracts, to be presented during the controls carried out by the authorities and state institutions, to be provided to the authorities according to their provisions.

Data related to promotions, contests and campaigns

• Grounds: your consent, our legal obligations, our prevailing legitimate interest
• Purpose: to promote our products and services in this way, to ensure the execution and prove the compliance of the activity carried out within these events/actions, according to the relevant legislation, to prove the compliance of the processing carried out in these contexts, to defend our rights and interests legitimate in case of correlative disputes/litigations, to be presented during the controls carried out by the authorities and state institutions, to be provided to the authorities according to their provisions.

DURATION OF PROCESSING

For the data collected involuntarily/unsolicited by the operator and for which there is no legal basis for processing, they are deleted as soon as the collection is established, without informing the person concerned in this regard;

For the data provided through the contact form/communication methods displayed on the website:

• followed by the signing of a contract between the parties, for a period of 1 year from the provision of a response to the communication/within one month from the receipt of the request to which no response was provided;
• followed by the signing of a contract between the parties, for the duration provided below for contracts.

For the data related to reservations / signing contracts / solving related issues through the website / third-party profile pages / communication channels available through / displayed in the online environment: 5 years from the termination in any way of the relations between the parties, with the possibility of extension until the resolution of the disputes that would arise in connection with them.

For the contracts with the accommodation component, the retention period for the data related to the Accommodation Forms is 5 years of completion, according to GD no. 237/2001 for the approval of the Norms regarding the access, record and protection of tourists in tourist reception structures.

For the data related to the CVs sent for recruitment, during the recruitment process and for a period of 1 year from the date of completion of the process without recruiting the person concerned, if he has given his consent.

The CVs of the employed persons will be attached to their personal files as employees, and will be kept for the duration of the contract, and after the termination of the employment contract in any way, they will be kept for a period of 75 years according to the legal term.

The CVs submitted voluntarily, outside the recruitment process, followed by recruitment, will be deleted within one month of receipt. The company can contact you in this interval in order to give consent to keep for 1 year, for possible subsequent recruitment procedures.

For data processed for marketing purposes and for those from interactions in social networks – until the consent of the concerned person is withdrawn/until the request for data deletion is resolved within the legal term/until the related Cookies are deactivated, as the case may be.

For the data related to the documents through which the operator can prove the compliance of the processing in front of the ANSPDCP (notifications/complaints/requests of the person concerned made in person or by proxy, proof of the solution method, obtaining consent, etc.) – 3 years from their production/completion of the respective procedures , regardless of the duration established for the processing for the basic purposes, strictly for the purpose that the operator can prove, if necessary, in front of the A.N.S.P.D.C.P the carrying out of a compliant processing and the respect of the rights of the data subject/for the application of sanctions to those who are guilty of not respecting the rights of the data subject.

For the data contained in the payment and financial/accounting documents – 5 years from the termination in any way of the relations between the parties/definitive settlement of the disputes between the parties or for longer periods, according to the legal fiscal-financial-accounting obligations of the company (including for data covered by internal controls/in audit).

DATA RECIPIENTS. INTERNATIONAL DATA TRANSFER

As a rule, the company will disclose the data covered by this document strictly to authorized, limited and justified internal employees and collaborators, to external collaborators, who act either as outsourced departments (HR, Marketing)/or as suppliers and service providers interposed in the contracts they conclude with society.

All these recipients have previously signed commitments and data processing agreements, so that appropriate security and confidentiality measures for your data are implemented and respected.

The company does not transfer data to other countries. This web page presents inputs and references to third-party pages and social networks, which are not under our control or administration, except limited and circumstantial, to our own pages held in them.

These pages can, without our consent or possibility of restriction, transfer data to member states or outside the EU. For more details, please access the privacy policies related to these pages and networks.

SECURITY AND CONFIDENTIALITY OF YOUR DATA

We treat your data and your requests regarding them with due importance. In this sense, we implement appropriate technical, organizational and legal measures for their security and confidentiality, including:

• We apply internal policies and procedures, based on prior risk assessment
• We train the staff involved in the processing and hold the external recipients of your data responsible through specific contractual clauses
• We carry out the physical/computer transfer of data according to specific security rules
• We secure data storage spaces, both physical and IT, according to their nature
• We periodically ensure the specialized review of the workstations and the security programs used
• We periodically review security measures and sanction violations
• We treat security breaches promptly and comply with the law

THE RIGHTS OF ANY PERSONS CONCERNED

The right of access – the right to obtain a confirmation from us whether or not your personal data is being processed and, if so, to obtain access to the respective data and to information regarding the manner in which they are processed.

The right to data portability – the right to receive personal data in a structured, commonly used and machine-readable format and the right to have these data transmitted directly to another operator, but only if this is feasible from the point of view of technical view.

The right to opposition – the right to oppose the processing of personal data. When data processing is aimed at direct marketing, you have the right to oppose the processing at any time. Depending on the circumstances, the opposition to the processing may lead to the impossibility of providing the services/providing the answers for which there are other grounds for collections/denouncing the contracts concluded with the company.

The right to rectification – the right to request and obtain, without undue delay, the correction of inaccurate data/data updates/completion of incomplete data. The company will be able to update data on its own initiative.

The right to delete data (“the right to be forgotten”) – if one of the following reasons applies:

• the data are no longer necessary to fulfill the purposes for which they were collected or processed;
• exercise the right to withdraw consent and there is no other legal basis for processing;
• you oppose the processing and there are no legitimate reasons that prevail; • personal data were processed illegally;
• personal data must be deleted to comply with a legal obligation;

The right to restrict processing – the right to request their marking and limited processing without obtaining data deletion, in the following cases:

• the accuracy of the data we process is disputed, for a period that allows the verification of the correctness of the data;
• the processing is illegal, and the person in question opposes the deletion of personal data, requesting the restriction instead;
• the company no longer needs the personal data for the purpose of processing, but the person in question requests them for establishing, exercising or defending a right in court;
• you will oppose the processing for the time interval in which it is checked whether the legitimate rights of the company prevail over your rights as the data subject.

The right to file a complaint with the National Supervisory Authority for the Processing of Personal Data, if you consider that the company violates the legal provisions regarding data processing.

The right to resolve your requests/reports/complaints regarding personal data within a reasonable period and to be informed about any measures adopted/non-adoption of measures in relation to the request.

The right to be informed in the event of a breach of the security of your data, of the nature of putting your rights and interests at high risk, with the exceptions established by law.

REQUESTS/COMPLAINTS/COMMUNICATIONS REGARDING PERSONAL DATA

Any requests/complaints/reports regarding personal data will be addressed in writing, to the email address indicated in the first part of this document and with the provision of a contact address to which the answer/related information can also be communicated in writing. The same will be done in the case of requests/communications related to previous requests/complaints/reports.

When addressing any request/complaint/report, the applicant will identify himself/herself appropriately, in order to prevent the compromise of data confidentiality, the adoption of measures at the request of unauthorized/unauthorized persons or the endangerment/violation in any way of the rights and legitimate interests of the persons targeted in relation to the data for which the request is made. In the case of requests made by proxy, the appropriate identification of the proxy and the verification of its quality will be carried out (including directly from the concerned person).

Requests sent by phone or requests in which the only available contact date is the phone number of the person concerned will not be taken into account, until they are sent in writing, under the conditions specified previously.

If the request is made in conditions that raise a suspicion of the operator regarding the identity of the applicant or regarding the legal nature of the request, the operator may suspend the solution until the provision of additional reasonable information/data in order to confirm the identity and/or quality of the applicant.

We submit these requirements to our legal obligation and our legitimate interest to prove compliance with your rights according to the GDPR and all legal regulations in the field of data protection.

The resolution of any request/notice/complaint will be made within a reasonable period of time, but no later than 30 days after receiving it. This term can be extended by two months when necessary, taking into account the complexity and number of requests, with the motivated information of the person concerned about the reason for the extension within the 30-day period.

The answer and/or any communications required by the specifics of the request will be sent in writing to the person concerned or the person authorized by him, in the manner in which the operator received the request or in another written way, expressly and reasonably requested by the person concerned/his authorized person.

VIDEO SURVEILLANCE POLICY

Making a firm reservation/Contracting services/Presenting at and transiting through the supervised locations specified below for any purpose/participating in events at the supervised locations represents your acceptance of the provisions of this document.

1. SUPERVISED LOCATIONS AND SPACES

For your safety and comfort, the Elania Resort location, located in Cluj-Napoca, Str. Fagetului 74 is supervised by means of video surveillance.

The image capture devices are located as follows:

• the entry and exit points of the premises
• parking
• reception
• the stairs and access halls (common/public) of the buildings where accommodation is provided
• indoor and outdoor Spa area
• food production and storage areas and logistics
• back of house area with limited access
• exterior spaces imposed by the minimum necessary security surveillance
• in the vicinity of certain areas of major importance, which require additional security, such as areas where sums of money are kept/ video surveillance camera access area/ areas where dangerous/flammable substances are stored/ (Room area, certain offices , bar area, warehouses, etc.)

At the same time, for the security of goods, people and information, video surveillance is carried out at the company’s headquarters. The image capture devices are located in the access area of the premises, in the access areas to the rooms where valuables, personal data and confidential information are stored. The rooms work 24 hours/day, 7 days/week.

Supervised areas are signaled accordingly at the supervised locations. There is no monitoring of the public perimeter adjacent to the premises.

Areas likely to offer a higher degree of discretion are not monitored, such as accommodation rooms, bathrooms, and, as a rule, offices, areas that require privacy at the SPA, Kids Land, Event Halls.

2. IDENTIFICATION DATA OF THE OPERATOR. CONTACTS

The operator that processes the personal data collected through the means of video surveillance is the company Apulum Turism S.R.L., identified above.

For any requests/reports/complaints regarding your personal data and additional information regarding video surveillance, you can contact us in writing, at the address of our headquarters or by e-mail, at the address provided in the first part of this page, to the attention of the Responsible for data protection.

3. DATA COLLECTED

It is collected exclusively:

• the visual image and registration number of the cars, at the Elania Resort location
• the visual image of the persons concerned, at the registered office, correlated with the date and time the image was captured.

There is no voice recording.

The systems are not inter-connected with databases that allow the direct identification of those captured in the images/based on no. registration.

4. LEGAL FRAMEWORK. BASIS AND PURPOSES OF PROCESSING

We collect and process your data based on the following legal acts:

1. a) Law no. 333 / 2003 regarding the protection of objectives, assets, values and the protection of persons, with subsequent amendments and additions;

2. b) HG no. 301 / 2012 for the approval of the Methodological Norms of Law no. 333/2003 regarding the protection of objectives, goods, values and the protection of persons;

3. c) Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free circulation of such data and repealing the Directive 95/46/CE (General Data Protection Regulation)

4. d) Instructions of the National Authority for the supervision of the Processing of personal data and of the empowered European working groups.

The grounds and purposes of processing are:

• the legal obligation to guard and protect people, goods and information; allows prompt investigations / interventions in case of security/security incidents;
• the legal obligation to guard and protect people, goods and information; allows prompt investigations / interventions in case of security/security incidents;
• to protect the vital interests of the person concerned or of another natural person, even more so in the epidemiological context of Covid-19 (ex: in the course of epidemiological investigations, to determine the cause/source of an infection or contamination, etc.);
• prevailing legitimate interest in supervising the way employees perform their work and exercise the rights recognized by law within the framework of employment relationships (eg: conducting disciplinary investigations, checking compliance with work procedures in case of incidents); to maintain a high level of service quality, by anticipating customer needs, supervising current maintenance, cleaning, maintenance, customer guidance or assistance needs.

5. DURATION OF PROCESSING

As a rule: 30 calendar days from collection, with subsequent automatic deletion. Circumstantial: until the definitive resolution of the incident for which a recording is required as evidence/for the duration imposed by the authorities.

6. DATA RECIPIENTS. INTERNATIONAL DATA TRANSFER

As a rule: only expressly nominated recipients – management and employees/collaborators with attributions in the supervision and control of security and security.

Circumstantial:

• authorities/public force agents in case of incidents, as needed or
• at their requestemployees/collaborators responsible for technical-IT interventions on the system (in the sense of implicit access/need for verification or quality processing of images, etc.) or
• legal service providers involved in the promotion/defense of our legitimate rights and interests.

We do not transfer data outside of Romania.

We do not transfer data outside of Romania.

We ensure the security and confidentiality of your data collected through video cameras through specific measures:

• The supervision is carried out on the basis of a specific risk assessment, reviewed periodically and as needed
• We implement a specific Policy and Procedures in this regard
• We ensure the transparency of the processing, by displaying this policy on the web page, by its availability at the reception of the location, by information and appropriate display at the location
• The data storage media are located in secure spaces and access to the databases is computer-secured
• Those involved in the processing are adequately trained, assuming specific duties and responsibilities
• Interventions and technical-informatics safeguards are carried out by specialized personnel
• We monitor the way in which these data are processed and sanction acts of violation of internal security and confidentiality rules
• We act promptly, according to the law, in case of breaches and security incidents

8. THE RIGHTS OF THE PERSON CONCERNED

In relation to all your data captured by the surveillance cameras, you can exercise the rights listed above, within the General Privacy Policy and under the conditions established by it.

Please keep in mind that, in this case, in most cases, the exercise of the rights can have a favorable result as long as a request/complaint is launched within the standard data retention period.

In the context of exercising your rights regarding the data collected by cameras:

• We will comply with a data transfer/deletion request strictly if other people’s data can be separated/confidential appropriately and at reasonable costs
• The right to rectification – in principle, inapplicable in relation to the specifics of the processing.