Privacy Policy
For Accommodation Units

Last updated: April 24, 2025

1. Introduction and Purpose

This Privacy Policy (hereinafter referred to as the "Policy") establishes the principles and procedures that \[ACCOMMODATION UNIT NAME] (hereinafter referred to as the "Accommodation Unit" or the "Operator") applies to ensure compliance with the applicable personal data protection legislation.

This Policy is addressed to all employees, collaborators, and other individuals acting under the authority of the Operator and involved in the processing of personal data of customers, potential customers, employees, collaborators, and other natural persons whose data are processed in the context of the Accommodation Unit's activity.

The purpose of this Policy is to inform data subjects about how the Accommodation Unit collects, uses, stores, and protects their personal data, ensuring an adequate level of protection and transparency in accordance with the applicable legal regulations.

2. Legal and Regulatory Framework

The Accommodation Unit operates under the following legal acts regarding personal data protection:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR). This is the main European normative act that establishes the legal framework for personal data protection.
• Law No. 190/2018 on measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. This national law complements and specifies certain aspects of the GDPR in the context of Romanian legislation.
• Law No. 506/2004 concerning the processing of personal data and the protection of privacy in the electronic communications sector (transposing Directive 2002/58/EC, as amended by Directive 2009/136/EC). This law regulates specific aspects regarding data processing in the context of electronic communications, including the use of cookies and similar technologies on the Accommodation Unit's website.
• Any other relevant national or European regulations in the field of personal data protection.

The Accommodation Unit is committed to complying with the fundamental principles regarding the processing of personal data as provided by the GDPR, namely: lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality (Art. 5 GDPR).

3. Categories of Personal Data Processed

In the context of its activity, the Accommodation Unit may process the following categories of personal data, without being limited to these:

• Identification data: name, surname, citizenship, date and place of birth, series and number of identity card/passport.
• Contact data: home/residence address, telephone number, e-mail address.
• Reservation and stay data: arrival and departure dates, room preferences, number of people, information on any special requests.
• Payment data: bank card details (securely and in accordance with PCI DSS standards, if applicable), transaction information.
• Billing data: company name (if applicable), fiscal code, registered office address.
• Data collected through video surveillance (CCTV): video images in public areas of the Accommodation Unit, for security and crime prevention purposes.
• Website navigation data: IP address, browser type, pages visited, duration of visit, data collected through cookies and similar technologies (according to the separate Cookie Policy).
• Preferences and interests data: information about travel preferences, feedback provided, participation in loyalty programs (if applicable).
• Health data (in exceptional cases): information voluntarily provided by guests regarding allergies, dietary restrictions or specific medical needs, in order to provide them with appropriate services.
• Employee and collaborator data: identification data, contact data, employment/collaboration contract data, salary data, performance evaluation data, attendance data, occupational health data (in accordance with specific legislation).

4. Purposes of Personal Data Processing and Legal Basis

The Accommodation Unit processes personal data for the following specific purposes, based on the legal grounds provided by Art. 6 para. 1 GDPR:

• Reservation management.
• Provision of accommodation services (including room allocation, access to facilities).
• Check-in and check-out management.
• Billing and payment processing.
• Communication with customers regarding the reservation and stay.

Fulfillment of a legal obligation to which the Operator is subject (Art. 6 para. 1 lit. c) GDPR):

• Registration of guests in legal registers (according to the legislation on the registration of accommodated persons).
• Communication of information to the competent public authorities (in the cases provided by law).
• Compliance with accounting and fiscal obligations.
• Implementation of security measures imposed by law.

Legitimate interest of the Operator (Art. 6 para. 1 lit. f) GDPR), provided that the interests or fundamental rights and freedoms of the data subject do not prevail:

• Ensuring the security of people, goods, and the Accommodation Unit's premises through video surveillance systems (CCTV).
• The legitimate interest consists in preventing offenses, identifying perpetrators, and managing security incidents.
• Improving the services offered and personalizing the customer experience by analyzing preferences and feedback.
• Direct marketing (sending offers, news, and information about the Accommodation Unit's services), respecting the data subject's right to object at any time.
• Administration and security of the Accommodation Unit's website.
• Establishing, exercising, or defending a right in court.

Consent of the data subject (Art. 6 para. 1 lit. a) GDPR):

• For the processing of certain categories of personal data that are not strictly necessary for the performance of the contract or the fulfillment of a legal obligation (e.g., specific preferences, health data provided voluntarily for the purpose of personalizing services).
• Consent will be specific, informed, freely given, and unambiguous, expressed by a clear affirmative action.
• For sending direct marketing communications through electronic channels (e-mail, SMS), in accordance with Law No. 506/2004.
• For the use of certain types of cookies and similar technologies on the website, according to the Cookie Policy.

Regarding the processing of personal data of employees and collaborators, the legal grounds may include, in addition to those mentioned above, the performance of the individual employment/collaboration contract, the fulfillment of legal obligations as an employer/service beneficiary, and the legitimate interest of the Operator in managing human resources.

5. Recipients of Personal Data

The Accommodation Unit may disclose personal data to the following categories of recipients:

• Employees and collaborators of the Accommodation Unit: Access to data is limited to those individuals who need to process it for the purpose of performing their work duties, having been previously trained on confidentiality and data protection obligations.
• Service providers: Third parties that provide services on behalf of the Accommodation Unit, such as online booking system providers, payment processors, IT service providers, marketing agencies, video surveillance service providers, accountants, lawyers. These providers act as processors on behalf of the Operator and are contractually obliged to process personal data in accordance with the Operator's instructions and the applicable legislation.
• Competent public authorities: If there is a legal obligation to disclose the data (e.g., requests from courts, criminal investigation bodies, tax authorities, tourism authorities).
• Other third parties: In specific cases and with the consent of the data subject (if necessary) or based on another legitimate legal basis.

The Accommodation Unit ensures that all recipients of personal data provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to protect the data and that they process the data in accordance with the applicable legislation.

6. Transfer of Personal Data Outside the European Economic Area (EEA)

In principle, Accommodation Units process personal data within the EEA. However, in certain situations, it may be necessary to transfer personal data to countries outside the EEA (e.g., using service providers with servers located outside the EEA).

If such a transfer occurs, the Accommodation Unit will ensure that the conditions provided by the GDPR for the transfer of data to third countries are met, namely:

• The existence of an adequacy decision of the European Commission regarding the respective third country (Art. 45 GDPR).
• The provision of appropriate safeguards by the data exporter and importer (Art. 46 GDPR), such as standard contractual clauses adopted by the European Commission or binding corporate rules (BCR).
• The application of specific derogations provided by Art. 49 GDPR (e.g., the explicit consent of the data subject, the necessity of the transfer for the performance of a contract, important reasons of public interest).

The Accommodation Unit will inform data subjects about any transfer of data outside the EEA and the safeguards implemented to protect the data.

7. Personal Data Retention Period

The Accommodation Unit will retain personal data only for the period necessary to fulfill the purposes for which they were collected, while also complying with the legal requirements regarding archiving periods. Retention periods may vary depending on the data category and the purpose of processing:

• Data processed for the purpose of performing the accommodation contract: Will be kept for the duration necessary to provide the services and subsequently for the period provided by law for keeping financial-accounting documents (usually 10 years from the end of the financial year).
• Data processed for the purpose of fulfilling legal obligations: Will be kept for the periods specified by the relevant legislation (e.g., accommodation registers according to specific regulations).
• Data processed based on legitimate interest (e.g., CCTV images): Will be kept for a limited period, proportional to the purpose (usually no more than 30 days, unless necessary for the investigation of a security incident).
• Data processed based on consent (e.g., direct marketing): Will be kept until the data subject withdraws consent.
• Employee and collaborator data: Will be kept in accordance with the legal deadlines provided by labor, fiscal, and archival legislation.

Upon expiration of the retention period, personal data will be securely deleted or anonymized.

8. Rights of Data Subjects

In accordance with the GDPR, data subjects have the following rights in connection with the processing of their personal data:

• Right to information (Art. 13 and 14 GDPR): The right to receive clear, transparent, and easy-to-understand information about how Accommodation Units process their data.This Policy represents a way of exercising this right.
• Right of access (Art. 15 GDPR): The right to obtain confirmation that their personal data is being processed and to receive a copy of it, as well as additional information regarding the processing.
• Right to rectification (Art. 16 GDPR): The right to request the rectification of inaccurate data or the completion of incomplete data.
• Right to erasure ("right to be forgotten") (Art. 17 GDPR): The right to request the deletion of data in certain circumstances (e.g., the data is no longer necessary for the purposes for which it was collected, the data subject has withdrawn consent, the processing is illegal).
• Right to restriction of processing (Art. 18 GDPR): The right to request the restriction of data processing in certain situations (e.g., the data subject disputes the accuracy of the data, the processing is illegal and the data subject opposes the deletion).
• Right to data portability (Art. 20 GDPR): The right to receive personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, under certain conditions.
• Right to object (Art. 21 GDPR): The right to object to the processing of data in certain situations, including processing for direct marketing purposes.

9. Arrival/Departure Forms and Legal Obligations

The Accommodation Unit operates in accordance with the provisions of Government Ordinance no. 65/2008 on the organization and marketing of tourism services, approved with amendments and additions by Law no. 135/2009, which imposes the obligation on accommodation units to complete and maintain tourist records (also known as arrival/departure forms).

For the purpose of fulfilling this legal obligation (legal basis: Art. 6 para. 1 lit. c) GDPR), the Accommodation Unit collects the following categories of personal data through these forms, necessary for the identification and registration of tourists:

• Identification data: name, surname, citizenship, date and place of birth, series and number of identity card/passport.
• Personal Identification Number (CNP) or its European equivalent (as applicable and in accordance with the applicable regulations).

Retention Period, Archiving and Destruction of Arrival/Departure Forms:
In accordance with the Order of the Ministry of Tourism no. 130/2013 approving the model of the tourist record, as amended and supplemented, the tourist records are kept for a period of 5 (five) years, starting from the date of the tourist's departure.

Archiving Procedure:
During the retention period, the arrival/departure forms will be archived in physical format, under secure conditions that prevent unauthorized access, loss, or destruction. They will be organized chronologically or according to other criteria that allow easy identification of information, in secured spaces with controlled access.

If the Accommodation Unit implements digital solutions for the collection and management of data from the arrival/departure forms, these will be stored in secure systems, with the implementation of appropriate technical and organizational measures for data protection (encryption, access control, audit log, etc.). The retention period for digital data will also be 5 years from the end of the stay.

Destruction Procedure:
Upon expiration of the 5-year retention period, the arrival/departure forms (both in physical and digital format, if there is no legal obligation to keep them for a longer period) will be securely destroyed, so that the information contained therein can no longer be recovered.

• For physical forms: Destruction will be carried out by methods that ensure data confidentiality, such as shredding with specific equipment or incineration.
• For digital data: Destruction will be carried out by secure deletion or other technical methods that guarantee the permanent removal of information from storage media.

The Accommodation Unit is committed to strictly complying with the legal provisions regarding the collection, storage, archiving, and destruction of arrival/departure forms, ensuring the protection of the personal data of tourists in accordance with GDPR and the applicable national legislation.

10. Identity of the Data Controller

This Privacy Policy applies to the data processing activities carried out by:

[ACCOMMODATION UNIT NAME]

Registered office address: [ACCOMMODATION UNIT REGISTERED OFFICE ADDRESS]

Fiscal Identification Code (CIF): [ACCOMMODATION UNIT FISCAL IDENTIFICATION CODE]

Legal Representative: [FULL NAME OF LEGAL REPRESENTATIVE]

Contact details for data protection issues:

E-mail address: [DEDICATED DATA PROTECTION E-MAIL ADDRESS]

Phone number: [DEDICATED DATA PROTECTION PHONE NUMBER]

Mailing address: [DEDICATED DATA PROTECTION MAILING ADDRESS, if different from the registered office address]

The Accommodation Unit, identified by the data above, acts as the Data Controller of the personal data it processes in accordance with the provisions of this Policy and the applicable data protection legislation.