Hotel Epica

HOTEL EPICA PRIVACY POLICY

Respecting your privacy and protecting your personal data are important to us. Therefore, we are committed to ensuring that your personal data is processed in accordance with the principles set out under the data protection legislation applicable in Romania, including Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR” or the “Regulation”).

This privacy policy (hereinafter referred to as the “Policy”) contains information regarding the processing of your personal data by Compania De Librarii București Turism S.R.L., a limited liability company incorporated under Romanian law, having its registered office in Bucharest, 1 Şelimbăr Street, 3rd District, registered with the Trade Register under no. J2023024762406, sole registration code RO49335408 (hereinafter referred to as the “Company” or “Hotel Epica”).

Pursuant to the Regulation, personal data means any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This Policy applies, as the case may be, to Hotel Epica’s clients and beneficiaries of its services; potential clients of Hotel Epica; visitors to Hotel Epica; visitors to our website; individuals interested in the services or activity of Hotel Epica who contact us for such purposes; individuals who choose to apply for a position within the Company; individuals participating in recruitment procedures; Hotel Epica’s collaborators, business partners or suppliers; employees, contact persons, collaborators and representatives of Hotel Epica’s business partners, collaborators or suppliers; and/or any other persons referred to in this Policy.

This Policy describes the purposes and legal grounds for the processing of personal data; the categories of personal data that may be processed by the Company; the manner in which we collect personal data; the recipients of personal data; the duration of personal data processing; the rights of data subjects; and our contact details.

I. PURPOSES OF PROCESSING. LEGAL GROUNDS FOR PROCESSING. CATEGORIES OF PERSONAL DATA

In the context of your interaction with Hotel Epica, your personal data may be subject to the processing activities carried out by us.

1. If you are a client or prospective client of Hotel Epica, as well as where you are a beneficiary of our services, please note that we may collect and process your personal data in the following cases:

1.1. Provision of the services offered by Hotel Epica. In this case, your personal data may be collected and processed for the purpose of performing the agreement concluded between you and the Company, providing you with offers or personalised services where you submit a request in this respect, processing payments made by you, completing accommodation, check-in and check-out formalities (including for the purpose of completing the guest arrival and departure registration form), as well as for the purpose of complying with the legal obligations incumbent upon the Company (including in relation to public authorities).

In such cases, the following categories of data may be processed, including but not limited to: name, surname, identification numbers (e.g. personal identification number), personal data contained in your identity document, telephone number, date of birth, place of birth, citizenship, domicile/residence address, e-mail address, details regarding accompanying persons, including minors, bank account and payment card details, date of arrival, date of departure and purpose of travel.

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(b) (i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) and Article 6(1)(c) (i.e. processing is necessary for compliance with a legal obligation to which the controller is subject) of the GDPR, as applicable.

Where you are a beneficiary of our services as a result of such services being contracted by another person (for example, by your employer for employee business trips, team-building events or similar purposes), the obligation to inform you regarding the disclosure of your personal data to Hotel Epica, the processing of such data and the applicable processing conditions, including the contents of this Policy, rests with the person (i.e. the client) making the reservation and engaging our services.

Accordingly, if you reserve and engage our services for the benefit of other individuals, you are responsible for properly informing the relevant data subjects benefiting from our services regarding the disclosure of their personal data to Hotel Epica, the processing of such data and the applicable processing conditions, including the contents of this Policy. The Company shall not be held liable for your failure to comply, or improper compliance, with this obligation, to the extent permitted by law.

1.2. Management of reservations and requests submitted by you. In this case, your personal data may be collected and processed for the purpose of making the requested reservations, confirming, modifying or rejecting reservations, responding to your requests and enquiries, or complying with the legal obligations incumbent upon the Company (including in relation to public authorities).

In such cases, the following categories of data may be processed, including but not limited to: name, surname, identification numbers (e.g. personal identification number), telephone number, date of birth, place of birth, citizenship, domicile/residence address, e-mail address, details regarding accompanying persons, including minors, bank account and payment card details, date of arrival, date of departure and purpose of travel.

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(b) (i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), Article 6(1)(c) (i.e. processing is necessary for compliance with a legal obligation to which the controller is subject) or Article 6(1) (f) (i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the GDPR, as applicable.

2. Organisation and implementation of marketing campaigns. The Company may process your personal data in order to keep you informed about services and offers that may be of interest to you, in connection with the organisation and conduct of marketing campaigns by the Company for the promotion of its services and business activity.

In this regard, we may provide you (including by electronic means, via SMS or telephone calls) with newsletters regarding our services and offers, promotional materials, commercial offers or other marketing communications or, as the case may be, we may request your opinion regarding the services provided by Hotel Epica or for the purpose of conducting market research, but only where you have subscribed for such purposes and have therefore expressly provided your consent for such processing.

You may change your mind and withdraw your consent at any time, free of charge, by accessing the unsubscribe link displayed in the marketing communications received from Hotel Epica.

In such cases, the following categories of data may be processed, including but not limited to: name, surname, telephone number, date of birth and e-mail address.

The legal ground on which we rely for the processing of personal data in such cases is Article 6(1)(a) of the GDPR (i.e. the data subject has given consent to the processing of his or her personal data for one or more specific purposes).

3. Collecting feedback. Managing complaints, requests and disputes. In this case, your personal data may be collected and processed, as applicable, for the purpose of handling and managing complaints, reports, questions and requests submitted by you, including in relation to the services provided by the Company; for the establishment, exercise or defence of the Company’s rights before courts and/or for the purpose of collecting and managing the feedback provided by you.

In such cases, the following categories of data may be processed, including but not limited to: name, surname, telephone number, citizenship, domicile/residence address and e-mail address.

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(b) (i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) or Article 6(1)(f) (i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the GDPR, as applicable.

4. Data processing as a legal obligation. We may process certain categories of your personal data, including in the context of providing the services offered by the Company, on the basis of legal obligations imposed on the Company by applicable legislation (for example, obligations to comply with tax legislation).

The legal ground on which we rely for the processing of personal data in such cases is Article 6(1)(c) of the GDPR (i.e. processing is necessary for compliance with a legal obligation to which the controller is subject).

5. Ensuring the security of property, individuals and premises through video surveillance. For the purposes of crime prevention and ensuring the protection of individuals (including Hotel Epica’s clients, visitors and staff) and property owned by Hotel Epica, as well as property belonging to clients/visitors, and for the purpose of efficiently managing security incidents, we may process your personal data through the video surveillance systems installed inside and outside the Hotel Epica premises.

The surveillance systems are positioned in visible locations and accompanied by appropriate signage, and are installed in a manner intended to minimise the impact on individual privacy. We also carry out periodic assessments to ensure that the use of such systems remains justified.

The recorded images will be retained for the period necessary for an incident to be identified and investigated, but for no longer than 30 days.

In such cases, the following categories of data may be processed, including but not limited to: your image captured through the surveillance systems, as well as your vehicle registration number, where applicable.

Except for competent authorities or other cases expressly provided by law, the images and data will not be disclosed to third parties.

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(c) (i.e. processing is necessary for compliance with a legal obligation to which the controller is subject) and Article 6(1)(f) (i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the GDPR, as applicable.

6. Use and administration of the Hotel Epica website. The Hotel Epica website may automatically collect and store certain data and information including, without limitation: IP address, the general location of the device used by you, browser type, operating system and time of access. We use the personal data collected from you when you visit our website, https://www.epicahotel.ro/, in order to process and respond to the enquiries submitted by you through our website, to send the newsletters to which you subscribed while visiting our website (the provisions of Section 2 above remain applicable), as well as to provide the information requested in connection with our activity and services. We also use your personal data to monitor website traffic and improve the website content.

In such cases, the following categories of data may be processed, including but not limited to: the date and time of access to our website, the section of the website accessed, IP address and the general location of the device used by you.

The administration of the Hotel Epica website involves the use of cookies in order to provide visitors with an improved browsing experience and to deliver services tailored to visitors’ needs and interests. For further details regarding the use of cookies by Hotel Epica, please consult our Cookies Policy.

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(a) (i.e. the data subject’s consent) and/or Article 6(1)(f) (i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the GDPR, as applicable.

7. If you are a visitor to Hotel Epica, please note that we may collect and process your personal data in order to ensure the security of Hotel Epica’s premises, property and staff, as well as the security of Hotel Epica’s clients and their property. At the same time, your personal data may also be processed for the purpose of enabling the Company to comply with its legal obligations, including in relation to public authorities.

Please note that video surveillance systems have been installed both inside and outside the Hotel Epica premises. The surveillance systems are positioned in visible locations and accompanied by appropriate signage, and are installed in a manner intended to minimise the impact on individual privacy. We also carry out periodic assessments to ensure that the use of such systems remains justified. In this respect, the provisions of Section 5 above shall apply accordingly.

In such cases, the following categories of data may be processed, including but not limited to: name, surname, identification numbers (e.g. personal identification number), personal data contained in your identity document, telephone number, date of birth, place of birth, citizenship, domicile/residence address, e-mail address, date and time of arrival, date and time of departure, your image captured through the surveillance systems and, where applicable, your vehicle registration number.

8. Conducting recruitment activities. Where you apply for a position within the Company, we process your personal data for the purpose of carrying out the recruitment process, including for assessing your qualifications and skills in relation to the position for which you have applied, organizing and conducting interviews, and completing formalities related to occupational health services or other formalities required by law in this respect.

In such cases, the following categories of data may be processed, including but not limited to: name, surname, identification numbers (e.g. personal identification number), telephone number, date of birth, place of birth, citizenship, domicile/residence address, e-mail address, other personal data contained in your identity document, data regarding education and professional training, professional qualifications, professional experience, as well as other data included in your CV.

As part of the recruitment process, we may request that you provide additional documents (for example, diplomas, academic transcripts, approvals, certifications, documents relating to professional qualifications, etc.).

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(b) (i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) and Article 6(1)(f) (i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the GDPR, as applicable.

9. If you are a collaborator, business partner or supplier of Hotel Epica, or an employee/contact person/collaborator/representative of Hotel Epica’s business partners, collaborators or suppliers, please note that we may process your personal data for the purpose of establishing and maintaining contractual and/or business relationships, as applicable, with Hotel Epica’s collaborators, business partners or suppliers, or with the employees/contact persons/representatives/collaborators of Hotel Epica’s business partners, collaborators or suppliers, as well as for the purpose of maintaining the contractual and/or business relationship, communicating with you or enabling the Company to comply with its legal obligations.

In all cases, the data is provided either directly by you or by the Company’s collaborator, business partner or supplier. In the latter case, the relevant collaborator, business partner or supplier of the Company is responsible for informing the individuals to whom the data relates that such data is disclosed to the Company and may be processed by the Company, as well as for complying with the applicable legal provisions in this respect, including obtaining the consent of the data subjects where required.

In such cases, the following categories of data may be processed, including but not limited to: name, surname, identification numbers (e.g. personal identification number), telephone number, date of birth, place of birth, citizenship, domicile/residence address, e-mail address and the position held within the Company’s collaborator, business partner or supplier.

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(b) (i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) or Article 6(1)(f) (i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the GDPR.

10. Rental of Hotel Epica premises intended for or capable of being used for private or corporate events. In this case, your personal data may be collected and processed, as applicable, for the purpose of ensuring the proper organisation and conduct of such events and/or the related contractual relationships, ensuring the safety of Hotel Epica’s staff, property and premises, ensuring the safety of event participants and their property, or enabling the Company to comply with its legal obligations.

In this respect, please note that video surveillance systems have been installed both inside and outside the Hotel Epica premises. The surveillance systems are positioned in visible locations and accompanied by appropriate signage, and are installed in a manner intended to minimise the impact on individual privacy. We also carry out periodic assessments to ensure that the use of such systems remains justified. In this respect, the provisions of Section 5 above shall apply accordingly.

In such cases, the following categories of data may be processed, including but not limited to: name, surname, telephone number, your image (captured through the surveillance systems) and, where applicable, your vehicle registration number.

The legal grounds on which we rely for the processing of personal data in such cases are Article 6(1)(b) (i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) and Article 6(1)(f) (i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the GDPR, as applicable.

II. HOW WE OBTAIN PERSONAL DATA

Hotel Epica may obtain personal data:

(i) either directly from you, including when you choose the services offered by Hotel Epica (including when completing reservation or check-in formalities), when you visit our website, when you request information regarding our services or activity, when you choose to apply for a position within Hotel Epica, in the context of contractual or business relationships with Hotel Epica, when you choose to subscribe for marketing purposes and/or when you choose to submit reviews, complaints or notifications to us, when you visit Hotel Epica, etc.;

(ii) or through booking platforms (for example, Booking.com, Expedia etc.), travel agencies, public authorities, collaborators, Hotel Epica’s business partners or suppliers, as well as through persons engaging our services on your behalf.

Where you provide Hotel Epica with the personal data of other individuals, please inform such individuals, prior to such disclosure, of the manner in which Hotel Epica intends to process their personal data, as described in this Privacy Policy.

Personal Data Relating to minors. We pay particular attention to and ensure enhanced protection for personal data relating to minors. Reservations regarding the services offered by Hotel Epica are not intended for persons under the age of 18. We may process personal data relating to minors, as such data may be collected from the minors’ parents or legal guardians, to the extent necessary for the provision of Hotel Epica’s services, as well as in other situations provided for under the applicable legislation or this Policy.

Sensitive Data. As a rule, we do not collect or process sensitive data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

However, in certain situations, we may process data concerning health, for example information relating to food allergies or other dietary restrictions, which you voluntarily provide to us in the context of the provision of restaurant services (for example, breakfast services), in order to adapt the services offered to your needs.

In such cases, the processing of such data shall be carried out exclusively for the purpose of protecting your health and safety and shall be based on your explicit consent.

III. RECIPIENTS OF PERSONAL DATA

Although, as a rule, we do not disclose your personal data to third parties, we may do so in the following circumstances:

• where necessary, transfer your personal data, exclusively through secure applications or methods, to third parties such as Hotel Epica’s commercial or business partners, suppliers, subcontractors or collaborators (for example, marketing service providers, IT service providers, etc.), acting as data processors on behalf of Hotel Epica, with whom Hotel Epica has concluded the contractual arrangements required under European Union and national legislation. We shall transfer data to such third parties solely to the extent necessary for the fulfilment of the applicable processing purposes for which your personal data are collected and processed;

• disclose your personal data in order to comply with the law or in response to a request from a court of law or other competent authority. Hotel Epica may also disclose such information to authorities where we consider it necessary to prevent or address fraud or to protect Hotel Epica;

• where necessary, disclose the relevant personal data to competent authorities in the context of providing the services requested by you or for the purpose of complying with the legal obligations incumbent upon the Company;

• group events or conferences: where you benefit from our services as part of an organised group or event (for example, conferences, meetings or other events), certain data necessary for the organisation and conduct thereof may be disclosed to the event organisers and, where applicable, to other participants involved in the organisation of such events;

• disclose your personal data to lawyers and/or tax or legal consultants, where necessary for the purpose of providing advice and/or representation to the Company in the context of disputes or litigation involving you;

• disclose your personal data to judicial enforcement officers, in the cases provided for by law or under the agreements concluded with you.

In all cases, we shall ensure that any disclosure of data is carried out in compliance with the applicable legislation and subject to the implementation of appropriate safeguards for the protection of your personal data.

IV. RETENTION PERIOD OF PERSONAL DATA

The Company shall retain your personal data (excluding your image) for the duration of the agreement concluded with you and thereafter in accordance with the legal obligations incumbent upon us.

Where the data are not collected in the context of entering into an agreement, such data shall be retained for a period not exceeding that necessary for the fulfilment of the purposes for which the data are processed or any longer period required under the applicable legislation.

Immediately following the expiry of the applicable retention period for personal data, such data shall be:

• securely deleted or destroyed in a manner that prevents their recovery; or

• transferred to an archive, where required by law.

Where the processing of data is based on your consent as a legal ground, please note that you may withdraw such consent at any time, without affecting the lawfulness of the processing carried out prior to such withdrawal. Personal data collected and processed for marketing purposes shall be deleted immediately if you unsubscribe from our newsletter service.

V. YOUR RIGHTS

As data subjects, you benefit from a series of rights under the GDPR in relation to your personal data, including:

• the right of access – allows you to obtain confirmation as to whether your personal data are being processed by Hotel Epica and, where that is the case, access to such data and to the relevant details regarding such processing activities. You may also request a copy of the personal data undergoing processing;

• the right to rectification – allows you to obtain the rectification of your personal data where such data are inaccurate. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed;

• the right to erasure – allows you to obtain the erasure of your personal data to the extent permitted under applicable law (for example, where the data are no longer necessary in relation to the purposes for which they were collected). We may not be able to comply with such a request in all cases, such as where we are legally required to retain the data for a certain period of time or where the data are necessary for a legitimate interest, such as defending a right in court;

• the right to restriction of processing – allows you to obtain the restriction of the processing of your personal data in the situations provided by law (for example, where you contest the accuracy of your personal data, for a period enabling us to verify such accuracy);

• the right to object – allows you to object to the further processing of your personal data under the conditions and within the limits established by law. In such case, the Company, acting as controller, shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or where the processing is necessary for the establishment, exercise or defence of legal claims;

• the right to data portability – allows you to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, or to transmit such data to another controller without hindrance from the Company, in the cases provided by law.

You may freely exercise your rights, including the rights referred to above, at any time, and obtain further information regarding such rights by submitting a written request to the Company, acting as controller, at the following address: office@epicahotel.com. We will handle your requests with due care and respond to any questions you may have as promptly as possible. In this regard, we shall ensure that appropriate measures are taken to respond to your request without undue delay and, in any event, within 30 (thirty) days from receipt of the request.

You also have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP), using the following contact details: 28–30 General Gheorghe Magheru Boulevard, 1st District, postal code 010336, Bucharest, Romania; telephone no. +40.318.059.211 / +40.318.059.212.

VI. ADDITIONAL INFORMATION

Security. In order to protect your personal data, we have implemented technical and organisational measures designed to ensure a level of security appropriate to the risks presented by the processing activities, in particular against misuse or accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, acquisition or access, intentional or accidental manipulation, access by third parties, deletion and modification.

You will be notified of any personal data breach without undue delay, unless a competent authority determines that such notification would impede a criminal investigation or prejudice national security. In such case, the notification shall be delayed in accordance with the instructions of the relevant authority. We shall respond promptly to your requests relating to any such personal data breach.

Contact Details. If you have any further questions regarding the manner in which we process your personal data, please send us a written request using the following contact details: Bucharest, 1 Şelimbăr Street, 3rd District (address) and/or office@epicahotel.com.

This Privacy Policy may be updated from time to time.