The confidentiality of your personal data is one of the main concerns of Therme Nord București as a data controller. Therefore we want to be completely transparent regarding the processing of personal data by providing all the information you need on this subject.
According to the requirements of the General Data Protection Regulation No. 679/2016 regarding the protection of individuals with respect to the processing of personal data and on the free movement of such data, amended and supplemented, Therme Nord București SRL (hereinafter referred to as the “Therme”) with its registered office in Romania, Sibiu county, 2 Alexandru Vlahuță Street, having the place of business in Balotești, 1K Calea București, Ilfov County, is required to manage safely and only for specified purposes, personal data that you provide to us or we collect about you.
This document is designed to inform you about the processing of your personal data, with respect to the use of the website www.therme.ro (and its corresponding sub-pages, such as the shop.therme.ro. B2B.therme.ro etc.) and regarding the visits to Therme București.
Based on legal grounds, we have highlighted most of the situations in which your personal data is processed within Therme Bucureşti by mentioning the purposes, categories of processed data and their storage period.
♦ BASED ON YOUR CONSENT, Therme processes your personal data in the following situations:
- Purpose: improving the experience of browsing the website, optimizing the display of content on the pages of the website.
- Categories of processed data: IP address, geographical address, what banners you have accessed.
- Information storage period: varies depending on the cookies accepted and does not exceed 2 years after the last session.
More details about the cookies used by Therme can be found here: http://www.therme.ro/ro/politici-cookie/
→ By registering to Therme`s Newsletter:
- Purpose: Therme processes your e-mail address to send you information about Therme news, offers and Campaigns.
- Categories of processed data: e-mail address and sometimes first and last name.
- Information storage period: your e-mail address is used for this purpose until the withdrawal of consent, which can be exercised at any time by pressing the unsubscribe button in the confirmation e-mail. Marketing communications are not done without your prior consent.
→ For all marketing activities (registration/enrolment campaigns, contests or other events), through any means of collection (online, printed forms, etc.) and all the processing operations necessary for the fulfilment of the purpose:
- Purpose: data is processed in order to organize, conduct and manage marketing events and to fulfil legal obligations.
- Categories of data processed: refers to the personal data required that you provide for the registration, participation and awards in various Campaigns (first and last name, home address, e-mail address, telephone number, or other identifying data that you provide to us according to the nature of the event.)
- Information storage period: is limited to (i) the duration of the Campaign, (ii) the period up to withdrawal of consent (if you have given it), respectively, (iii) the duration provided for by law (for those who have been awarded).
→ By the consent you provide for the collection and use of photo/audio/video materials in order to achieve various marketing materials distributed on online platforms owned by the Therme or Social Media, or used in order to be published in the Time to Therme magazine , etc. :
- Purpose: Therme image promotion, its products and services.
- Categories of processed data: your voice and image by making photo/audio/video materials.
- Information storage period: personal data (your voice and image) will be processed until consent is withdrawn or, otherwise, until the date specified in the Agreement/consent agreed with Therme.
→ Creating an account on the platforms owned by Therme (shop.therme.ro, b2b.therme.ro, therme.ro or any other subdomain therme.ro.):
- Purpose: the Purposes of the processing refers to the creation and management of accounts in order to carry out trade relations, as well as to gather feedback in order to improve the services offered.
- Categories of data processed: Therme will process your personal data, such as: first name, last name, phone number, e-mail address, billing address, data related to the way in which you use the website, for instance your behaviour/preferences/habits within Therme București, as well as any other categories of data that you provide us directly in the context of the creation of the user account, in light of placing an order via the website or in any other way arising from your use of the website.
- Information storage period: Data is kept right up to the erasing of the account, but in certain situations they will be kept for a longer period for the fulfilment of legal obligations (10 years for the financial-accounting documents) or for the protection of the legitimate interests of Therme.
→ By installing the My Therme application, creating and using the related account.
- Purpose: Managing the application so as to provide the best Therme loyalty service.
- Categories of processed data: personal data which you provide when creating the account, namely: first name, last name, e-mail address, phone number and date of birth.
- Information storage period: Data is kept until you request the deletion of the account. In certain cases, for legal reasons or legitimate interests duly substantiated, data is kept for a longer period of time even after deleting the account and disabling the application.
→ Using the contact forms on the website ("contact us"; "organize events”;" corporate sales”; "send CV”)
- Purpose: registration and resolution of requests.
- Categories of processed data: full name, e-mail address as well as data contained in attachments.
- Information storage period: it is established according to the type of request, no more than is necessary for the fulfilment of purposes and fulfilment of legal obligations.
→ By providing certain information in the form of requests via the official Therme chat or via the Facebook page.
- Purpose: to resolve requests from Facebook page visitors.
- Categories of processed data: First and last name or Facebook nickname, public information and any other information that you provide. If your request involves the disclosure of sensitive personal data, Therme may guide you to e-mail the request directly to the approved department.
- Information storage period: data is usually kept for up to 3 years after the last interaction.
→ By filling out the various online forms on the website www.therme.ro or printed forms when visiting Therme București (suggestions, complaints, lost and found, commitment of kids' caretaker, massage appointments and other forms through which you are requested to give your consent).
- Purpose: for the management of suggestions and complaints, commercial management and to ensure the security, health and safety of the Resort.
- Categories of processed data: first and last name, address, phone number, e-mail address and any other relevant information that you provide for the settlement of your claim.
- Information storage period: data is kept according to the type of request, usually not more than 3 years after the last interaction.
♦ IN ORDER TO FULFILL LEGAL OBLIGATIONS, Therme processes your personal data in the following situations:
→ Filling out a form at the first aid station following a medical event.
- Purpose: providing adequate healthcare, registering the event and keeping records for your best interest (safety and public health) and defending Therme rights.
- Categories of processed data: first name, last name, phone number, incident details and medical findings.
- Information storage period: for minor assistance, data is kept for a period of 30 days, and for serious situations in which subsequent requests can occur (access requests, notifications or complaints, etc.), data is kept for 3 years.
→ Ensuring safety and health through video monitoring and through the existence of a security and protection system.
Within the premises of Therme Bucureşti, as well as the access and parking points are equipped with a video surveillance system that allows the collection of your image and its processing.
Areas where privacy expectations regarding personal life are high, such as toilets and similar locations, are not monitored.
- Categories of processed data: video images, car registration number and other personal data depending on the situation.
- Information storage period: Usually, video images are kept for up to 30 days. To the extent that certain situations require the retention of video images for a longer period (depending on the time required to further investigate a Security incident, in order to defend a right in court, in order to fulfil a legal obligation or a legitimate interest), the retention period may be extended up to 3 years.
→ Filling out the commitment for food brought off-site
- Purposes: ensuring food safety (Ordinance 21/1992 with subsequent updates)
- Categories of processed data: first and last name, address and signature.
- Information storage period: 30 days.
→ Storage and processing of personal data for resolving claims and complaints filed online or on location:
- Purpose: to resolve claims and complaints.
- Categories of processed data: first and last name, address, phone number, e-mail address and any other relevant information.
- Information storage period: 3 years after the last interaction.
→ Provision of personal data by filling out documents necessary for the fulfilment of legal obligations (payment order, cashing order, receipt, invoice, delivery-receipt minute vouchers, report of Return Money / re-possession of goods (Therme cards), etc.
- Purpose: cash collection / return, billing, other tax purposes.
- Categories of processed data: first and last name, address, phone number, e-mail address, credit card code and ID copy.
- Information storage period: 5 years, according to legal provisions.
→ Checking the identity card to identify the data subject in different situations (return lost items, return Therme gift cards – in case of re-issuance, etc)
- Purpose: identification
- Categories of processed data: Data from ID card or passport.
- Information storage period: N/A
→ Keeping a record with service providers operating within Therme București Resort.
- Purpose: Health and Safety at Work
- Categories of processed data: first and last name, date of birth, occupation, signature.
- Information storage period: throughout the performance of the service contract and after its termination, for the duration necessary to fulfil the legal obligations.
→ Keeping record of visitors (other than customers)
- Purpose: To ensure health and safety.
- Categories of processed data: first and last name
- Information storage period: 3 years
→ The use of personal data that is held by Therme Nord Bucureşti in the context of services rendered, including tax obligations, as well as regarding archiving.
- Purpose: fulfilment of legal obligations in matters of taxation and archiving.
- Categories of processed data: Therme requires first and last name and address in the case of invoices, or any other information required by law to fulfil legal obligations.
- Information storage period: 5 or 10 years from the end date of the financial year in which they were drawn up in the case of accounting documents (according to the order 2634/2015 of the 5th November 2015), and for archiving, data retention is done in accordance with the law of national archives 16/1996 with its subsequent updates.
→ Management of transactions by the financial-accounting department in the case of payments (on the platform PayU) made with the card by the customer in the online store or on B2B platform.
- Purpose: financial and accounting management.
- Categories of processed data: the PayU Application provides access to the name and surname, address, phone number, e-mail address, postal code of the cardholder.
- Information storage period: information is not exported or stored by Therme.
♦ IN ORDER TO FULFILL LEGAL OBLIGATIONS, THERME processes your personal data in the following situations:
→ THERME data network monitoring (when you connect to the Wi-Fi network at the time of the visit). The provision of personal data for the purpose of connecting to the Wi-Fi network is based on your consent and on the legitimate interest to ensure optimal conditions of network security.
- Purpose: To ensure information security and to protect the legitimate interest.
- Categories of processed data: first and last name, e-mail address, phone number, device details and navigation.
- Information storage period: 1 year
→ Preservation of the first aid incident sheet, videos, complaints (if any) or other relevant documents following a medical event.
- Purpose: incident management, for the purpose of defending Therme's rights before Authorities.
- Categories of data processed: first and last name, surname, phone number, data related to your health, incident details and medical findings, video images and other information provided by you to motivate a situation.
- Information storage period: 3 years or more if the situation so requires, for the protection of rights.
→ Managing, controlling, reporting and compiling THERME activity statistics (Refers to internal reports made to obtain sales information, most accessed services, data on your preferences/interests, etc.)
- Purpose: management and marketing
- Categories of processed data: Data do not contain identification elements.
♦ BASED ON THE CONTRACT BETWEEN YOU AND THERME (including the stages prior to signing of the contract), your data is processed in the following situations:
→ Through e-mail communication with Therme employees involved in the sale (including pre-sale steps).
Through commercial requests from the online store or B2B or any other communication channel. The provision of your personal data is necessary for the performance of the contract.
- Purpose: organizing and conducting the contractual relationship (informing, retrieving, validating, dispatching and invoicing of the order placed on the website, informing you on the status of the order, organising the return of products ordered, or other circumstances related to the sale.)
- Categories of processed data: first and last name, occupation, e-mail address, delivery address, phone number, banking data, details of financial transactions with Therme.
- Information storage period: for individuals: 10 years from the last order/sale and for representatives of legal entities 10 years from the completion of the contract.
→ Filling out supporting documents to recover damages caused by customers (payment commitments, minutes or other supporting documents).
- Purpose: Recovery of damages.
- Categories of processed data: are collected at least first and last name, home address, phone number, amount of payment and other information necessary to establish the circumstances of the damage.
- Information storage period: 5 years from the end date of the financial year in which they were drawn up.
→ The verification of the identity card of the persons who wish to access areas with age limit.
- Purpose: Ensuring compliance with the General Contractual Conditions - Rules of Procedure and Use of Therme Nord București Swimming Pools;
- Categories of processed data: it requires a visual check of your identity card in order to be allowed access to certain age restricted areas.
- Information storage period: No data is stored.
→ The verification of the identity card (for pupils, students / retirees / people with disabilities etc.) and supporting documents (pupil / student card, pension card, supporting document certifying the degree of disability, etc.) at the time of purchasing the access ticket.
- Purpose: Ensuring compliance with the General Contractual Conditions - Rules of Procedure and Use of Therme Nord București Swimming Pools; - Issuing discount for access tickets.
- Categories of processed data: it requires a visual check of your identity card and supporting documents.
- Information storage period: No data is stored.
→ Appointments for additional services within the Resort (massage appointments)
- Purpose: massage appointments
- Categories of processed data: first name
- Information storage period: 60 days
→ CV Data (those on the profile sites or those that you send us by e-mail or at the address of the place of business) processed in order to select the candidate for the interview.
- Purpose: recruitment
- Categories of processed data: first and last name, address, date of birth, phone number, e-mail address, education/qualifications , experience, professional skills and other relevant information.
- Information storage period: If the candidate is rejected, his CV will not be kept (unless otherwise provided under a consent), if the candidate is accepted, the CV will be submitted to the personnel file and kept according to the legal provisions.
♦ OTHER SITUATIONS WHERE PERSONAL DATA MAY BE PROCESSED
In certain situations, Therme can allow access within the Resort Therme București to third Parties in order to carry out activities involving the realization of photo/video/audio material on the basis of a contract or written authorisation from Therme, as well as:
- Press (at its request), at certain times such as national or public interest days, inaugurations, special events, etc., for personal journalistic purposes.
- Partners who have concluded a contract with Therme and who by the nature of the contract are required to make photo/video/audio materials in the Therme location. (events, TV productions, product and service promotions etc.)
Therme informs all its partners, either by specific contractual clauses or by their acceptance of the General Conditions regarding the filming, recording, shooting activities in Therme Bucharest of the responsibilities regarding the processing of personal data.
They undertake and are responsible for the personal data processed, both for obtaining consent and for the other GDPR obligations.
For the purposes of the processing, Therme can disclose your data to partners, to third parties or entities that support the Therme in performing its activity through the Website (for example courier companies, marketing collaborators, IT service providers, financial, accounting, legal service providers etc.), or to central public/local authorities, in the following cases listed as examples:
As a general rule, personal data is processed in Romania. In specific situations in which it will be necessary to carry out any of the purposes above-mentioned, Therme can call upon third parties or entities that can access your data from outside of the country (e.g. Germany). In these circumstances, Therme will always take steps to ensure that any international transfer of personal data is managed carefully in order to protect your rights and interests. Transfers to service providers and other third parties will always be protected through contractual commitments and, where appropriate, through other guarantees, such as the standard contractual clauses issued by the European Commission or certification schemes.
Under the conditions laid down in the law on the processing of personal data, as data subjects, you benefit from the following rights:
Following your request to delete the data, Therme may anonymize this data (thus depriving them of their personal character) and continue processing for statistical purposes;
THERME will provide free information concerning the processing of personal data upon request, without undue delay, within 30 calendar days from the date of the request registration. Depending on the intricacies of the information requested, this period may be extended by 60 days informing you of the reasons for extending the initial term. For applications received in electronic format, the information will be provided in electronic format, unless you request the information in another format (printed). In cases where you ask us for the same repetitive, excessive information or without legal basis, THERME may refuse to provide the information.
If you want to exercise any of your rights related to the processing of personal data by THERME, to get additional information or clarification with respect to the processing of your personal data, please contact THERME through its data protection officer responsible for ensuring that THERME complies with all the requirements of the GDPR.
He can be contacted at the e-mail address: firstname.lastname@example.org
The website www.therme.ro uses cookie files. For more information on how these files are used, please visit the following link: http://www.therme.ro/ro/politici-cookie/.
Visit this page regularly to make sure that you always have the information up to date.