Gdpr

Data Protection Declaration of Rosen Villa Sibiu

1. Name and address of the Data Administrator

In the sense of the General Data Protection Regulation (GDPR) and other national data protection laws in Member States and other applicable data protection provisions, the Data Administrator is:

Rosen Villa Sibiu Strada Noua, Nr. 21, Sibiu 550257 Sibiu, Romania 0771 567 173

The Data Administrator has appointed the following person as Data Protection Officer:

Stefan Axente Stroia Manager Rosen Villa 0771 567 173 office@rosenvillasibiu.ro

2. General information regarding data processing
   1. Scope of personal data processing
   We collect and use our users' personal data only to the extent necessary to provide a functional website, content, and services. We collect and use our users' personal data only after obtaining the user's consent. An exception is when the user's consent cannot be obtained for genuine reasons and the data processing is permitted by law.
   2. Legal basis for processing personal data
   Article 6, paragraph 1, letter a) of GDPR represents the legal basis when we obtain the consent of the data subject for processing personal data. Article 6, paragraph 1, letter b) of GDPR represents the legal basis for processing personal data necessary for the execution of a contract to which the data subject is a party. This also applies to processing operations necessary for implementing pre-contractual measures. Article 6, paragraph 1, letter c) of GDPR represents the legal basis when the processing of personal data is necessary to fulfill the legal obligations of our company. Article 6, paragraph 1, letter d) of GDPR represents the legal basis when the vital interests of the data subject or another real person require the processing of personal data. Article 6, paragraph 1, letter f) of GDPR represents the legal basis if data processing is necessary to protect a legitimate interest of our company or a third party that prevails over the interests, fundamental rights, and fundamental freedoms of the data subject.
   3. Data deletion and storage period
   The personal data of the data subject are deleted or blocked immediately after the purpose of their storage has been fulfilled. Storage for a longer period is possible if provided for by the European or national legislator within the framework of relevant Union regulations, laws, or other provisions governing the data administrator. Also, the data are deleted or blocked after the expiry of the legal retention period, except when there is a requirement to retain the data for the conclusion or execution of a contract. The data we store include, among other things, the following elements:
   • Log files for a maximum period of 14 days;
   • Databases for logins for the duration of the account's existence;
3. Website provision and generation of log files
   1. Description and scope of data processing
   Our system automatically collects data and information from the accessing computer each time a user visits our website. The following data are collected: (1) Information about the type of browser and version used (2) The user's operating system (3) The user's internet service provider (4) The user's IP address (5) Date and time of access (6) Websites from which the user was redirected to our site (7) Websites accessed by the user's system through our site (8) Duration of the user's visit (9) User's country of origin (10) User's preferred language (11) Time of the user's first visit and that of their most recent visit These data are also saved in the log files of our system. We do not store these data alongside other personal data of the user.
   2. Legal basis for data processing
   The legal basis for the temporary storage of data and log files is Article 6, paragraph 1, letter f) of GDPR.
   3. Purpose of data processing
   The temporary storage of the IP address by our system is necessary for the purpose of delivering the website to the user's computer. Therefore, the user's IP address must be stored for the duration of the session. The storage of data in log files serves to guarantee the proper functioning of our website. The data are also used to optimize the website and to protect the security of our IT systems. These purposes represent our legitimate interest in processing data in accordance with Article 6, paragraph 1, letter f) of GDPR.
   4. Storage duration
   The data are deleted as soon as the purpose of their collection has been achieved. When data are collected for operating the website, this happens immediately after the respective session is ended. In the case where the data are stored in log files, this happens after a maximum period of 14 days. Data may be stored for longer periods in certain circumstances. In this case, the user's IP addresses are deleted or truncated, resulting in the fact that it is no longer possible to trace them back to the client who accessed them.
   5. Right to object and contest a decision
   The collection of data for the provision of the website and the storage of data in log files are absolutely essential for the operation of the website. This means that users cannot object to these processes of data collection and storage.
4. Use of cookies
   1. Description and scope of data processing
   Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's information system. When a user visits a website, cookies can be placed locally on the user's device. This cookie contains a string of characters representing a unique identification code of the browser, a code that will be recognized on the next visit to the website. We use cookies to make our website easier to use. Some elements of our internet site require that the accessing browser can be identified even after our page has been left. Cookies store and transmit the following data: (1) Items from a shopping cart / online room reservation (2) Login information (3) Conversation information (4) Security mechanisms for forms (XSRF) [cross-site request forgery] (5) Items from the wishlist (6) Google Analytics services (7) General Facebook Pixel verification (8) Google Maps integration (9) Universal Messenger data for a target group-oriented website experience (10) YouTube clip integration Our website also uses cookies that allow an analysis of the user's navigation and use of the website. The following data may be transferred: (1) Search terms entered (2) Page views (3) Use of website functions The collected data concerning the user are pseudonymized through technical methods. Thus, the data can no longer be traced back to the user who accessed them. The data are not combined with other personal data of the user. When accessing the website, users are informed about the use of cookies for analysis purposes through an information banner that also refers to this data protection declaration. This includes information about how the placement of cookies can be prevented by changing the browser settings.
   2. Legal basis for data processing
   The legal basis for processing data involving the use of cookies is Article 6, paragraph 1, letter f) of GDPR.
   3. Purpose of data processing
   The purpose of using strictly necessary cookies is to make the website easier to use. Some functions offered on our website may not be available if cookies are deactivated. These functions depend on recognizing the browser after it has left the website. The use of cookies is necessary for the following applications: (1) Shopping functions (for example, shopping cart, room reservation) (2) Tracking functions (for example, country of origin) User data collected through strictly necessary cookies are not used to generate user profiles. Analysis cookies are used exclusively for the purpose of improving the quality of our website and its content. Analysis cookies provide us with information about how the website is used and how we can continuously improve our services. These purposes represent our legitimate interest in processing data in accordance with Article 6, paragraph 1, letter f) of GDPR.
   4. Storage duration, right to object and contest a decision
   The user's computer stores and transmits cookies to our website. This means that our users have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing your internet browser settings. Cookies that have already been placed can be deleted at any time. This can be set to automatic mode. If you have cookies deactivated, you may not be able to use the full range of functions offered on our website.
5. Newsletters
   1. Description and scope of data processing
   Our website offers users the possibility to subscribe to a free newsletter. The data entered in the registration form will be transmitted to us. During registration, the following data are also collected: (1) IP address of the computer from which access is made (2) Date and time of registration Your consent for data processing is obtained during the registration process, during which you are also referred to this Data Protection Declaration. If you send us your email address during the purchase of goods or services through our website, we may subsequently use this data to send a newsletter. In this case, the newsletter will only contain direct advertising for similar products or services offered by our company. The data are not disclosed to third parties as part of the data processing regarding the sending of newsletters. The data are used exclusively for sending the newsletter. We also use newsletter tracking, which means that emails sent by us contain small image files, also called web beacons or tracking pixels; these are included in emails but not contained directly in them (but only as a link to a web address). These are downloaded from the external server by the webmail application running in the browser. Information regarding the call, IP address, as well as information regarding the accessing client are collected.
   2. Legal basis for data processing
   The legal basis for processing data after the user has subscribed to the newsletter and expressed their consent for the use of their data is Article 6, paragraph 1, letter a) of GDPR. Newsletter tracking is also based on Article 6, paragraph 1, letter f) of GDPR.
   3. Purpose of data processing
   The collection of the user's email address serves the delivery of the newsletter. Tracking the newsletter service serves to perform a statistical analysis to determine the number of emails that are read when links are frequently accessed and which of these. In this case, the use does not allow for sending to individuals. The information is used to optimize the content of newsletters or for better adaptation of the newsletter to the mail clients used by the recipients. The collection of other personal data during the registration process serves to prevent improper use of services or email addresses used.
   4. Storage duration
   The data are deleted as soon as the purpose of their collection has been achieved. Consequently, the user's email address will be stored as long as the user remains subscribed to the newsletter. The data for analysis are deleted after three months. Any other personal data collected during the registration process are usually deleted after seven days.
   5. Right to object and contest a decision
   The newsletter subscription can be canceled (unsubscribed) at any time by the user. All newsletters contain an unsubscribe link. This also gives the user the possibility to withdraw their consent regarding the storage of personal data collected during the registration process.
6. Registration
   1. Description and scope of data processing
   Our website offers users the possibility to register by providing their personal data. The data are entered into a form, are transmitted to us and then stored by us. The data are not disclosed to third parties, except when a payment processing service is involved in an e-commerce transaction. During the registration process, the following data are collected: (1) First name (2) Last name (3) Email address (4) Password (5) Address (6) Postal code (7) City (8) Date of birth (9) Phone number (10) Fax number (11) Fiscal code (12) Company (13) Company website At registration, the following additional data are stored: (1) Date and time of registration (2) Date and time of registration confirmation (3) Date and time when consent was expressed for the Data Protection Declaration (4) Website on which the registration was made The user's consent for the processing of these data is obtained during the registration process. These data are also collected during an e-commerce transaction.
   2. Legal basis for data processing
   The legal basis for processing data with the user's consent is Article 6, paragraph 1, letter a) of GDPR. If the registration serves the execution of a contract with the user or the implementation of pre-contractual measures, the legal basis for processing the data is also Article 6, paragraph 1, letter b) of GDPR. The processing of data during an e-commerce transaction is based on Article 6, paragraph 1, letter b) of GDPR.
   3. Purpose of data processing
   User registration is necessary for providing certain content and services on our website. The user may also be asked to register for the purpose of executing a contract with them or implementing pre-contractual measures.
   4. Storage duration
   The data are deleted as soon as the purpose of their collection has been achieved. For data collected during the registration process, this happens when the registration on our website is canceled or modified. The data necessary for the execution of a contract or for the implementation of pre-contractual measures may also be deleted if the data are no longer necessary for the execution of the contract. It may be necessary to store the personal data of a contractual partner for a longer period than that necessary for concluding a contract in order to fulfill contractual or legal obligations. This means that, as soon as a user requests the deletion of their account, the data specified in F.1. will be deleted; except when this contravenes a law that requires SC ROSEN VILLA SRL to retain the data (i.e., mandatory legal retention periods).
   5. Right to object and contest a decision
   Users can cancel their registration at any time. You can request us to modify your data stored by us at any time. You can update your profile data in SC ROSEN VILLA SRL at any time (if creating an account is allowed). If the data are necessary for the execution of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible to the extent that this deletion does not contravene legal requirements.
7. Contact form and contacting by email
   1. Description and scope of data processing
   Our website provides a contact form that can be used to send us electronic correspondence. A similar form can be used to book the rooms offered by SC ROSEN VILLA SRL. The data entered in these forms will be transmitted to us and will be stored by us. These are the data displayed in the input mask. At the time of sending the form, the following additional data are stored: (1) The user's IP address (2) Language and URL of the accessed page (3) The user's browser and operating system (4) The user's referring page (5) Date and time when the contact was made Regarding the processing of their data, users are referred to the Data Protection Declaration at the time of sending the form and must declare and confirm their consent regarding the Data Protection Declaration. Alternatively, users can contact us via the email address provided. In this case, the user's personal data transmitted by email will be stored. The data are not disclosed to third parties in this context.
   2. Legal basis for data processing
   The legal basis for processing data transmitted through the contact form with the user's consent is Article 6, paragraph 1, letter a) of GDPR. The legal basis for processing data transmitted by email is Article 6, paragraph 1, letter f) of GDPR. If the objective of contacting by email is to conclude a contract, for example placing an order with the service department, the processing of data is also based on Article 6, paragraph 1, letters b) and c) of GDPR. The legal basis for storing information of course participants is Article 6, paragraph 1, letter f) of GDPR.
   3. Purpose of data processing
   We process exclusively the personal data transmitted through an online form for the purpose of processing user requests. In the case of contact by email, this also includes the legitimate interest necessary for processing the data. If you register for a training course, the personal data you transmit will be used for conducting and organizing training courses. Any other personal data processed during the sending process are intended to prevent improper use of the contact form and to protect the security of IT systems.
   4. Storage duration
   The data are deleted as soon as the purpose of their collection has been achieved. Personal data entered in the online form are not stored on our servers. Data sent by email are deleted once the respective correspondence with the user has been concluded. Correspondence is considered concluded if the circumstances indicate that the respective request has been finally resolved. If you send us a reservation, we will contact you using the double opt-in process for electronic correspondence. If you respond to the contact email, the data will be deleted within 24 hours. If we do not receive a response from you regarding the contact email, we will keep your order request for a period of two weeks to allow you to place the order you have already sent us. Room reservation data may be kept for up to 10 years, given the requirements of tax law.
   5. Right to object and contest a decision
   The user can revoke their declaration of consent to the processing of personal data at any time. Users who contact us by email can withdraw their consent for the storage of their personal data at any time. In the case of withdrawal of consent, correspondence with the user will be terminated. In this case, all personal data stored during the establishment of contact will be deleted.
8. Website analysis services
   1. Description and scope of data processing
   This site uses Google Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses cookies, text files that are stored in your computer and that allow an analysis of your use of this website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. We want to emphasize that this site uses Google Analytics with the extension "_anonymizeIp()", which means that only truncated IP addresses are processed in order to exclude any direct reference to a person. Your IP address will be truncated by Google in the member states of the European Union or other signatories of the Agreement on the European Economic Area. The complete IP address is sent to a Google server in the USA and truncated there only in exceptional cases.
   2. Legal basis for data processing
   The legal basis for processing personal data through the use of Google Analytics is Article 6, paragraph 1, letter f) of GDPR.
   3. Purpose of data processing
   The purpose of data processing is the effort to sustainably improve the website and the user experience. Google uses this information on behalf of the operator of this website to evaluate your use of this website, to gather reports regarding website activities, and to provide other services to the website operator that are associated with the use of this website and the internet. For this purpose, our company has concluded a data processing contract with Google, in accordance with Article 28 of GDPR.
   4. Storage duration
   The data are deleted as soon as the purpose of their collection has been achieved.
   5. Right to object and contest a decision
   The IP address sent from your browser as part of Google Analytics is not combined with other Google data. You can adjust your browser settings to prevent the storage of cookies on your computer. Please note that in this case, you will not be able to use all the functions offered on this website. You can prevent the collection of your data regarding the specific use of the website (including your IP address) generated by cookies to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/
9. Rights of the data subject If your personal data are processed, you are a data subject in the sense of GDPR. You have the following rights towards the data administrator:
   1. Access to information
   You have the right to ask the administrator to confirm the processing of your personal data by us. If so, you have the right to ask the data administrator to provide you with the following information: (1) The purposes of processing personal data; (2) The categories of personal data that are processed; (3) The recipients or categories of recipients to whom your personal data have been or will be disclosed; (4) The planned period for storing your personal data or, if there is no exact information, the criteria for establishing the storage period; (5) The existence of a right to delete or correct your personal data, a right to restrict the processing of data by the data administrator, and a right to revoke your declaration of consent to the respective data processing; (6) The existence of a right to file a complaint with a supervisory authority; (7) All available information regarding the source of any personal data that were not collected from the data subject; (8) The existence of automated individual decisions, including profiling processes in accordance with Article 22, paragraphs 1 and 4 of GDPR and, if applicable, relevant information regarding the logical reasoning involved and the scope and expected effects of such data processing for the data subject. At the same time, you have the right to request information about whether or not your personal data are transmitted to a third country or an international organization. In this regard, you can request to be informed about the appropriate guarantees in accordance with Article 46 of GDPR regarding the transfer.
   2. Right to rectification
   You have the right to ask the data administrator to correct or complete your data if your personal data are incorrect or incomplete. The data administrator must correct the data without undue delay.
   3. Right to restrict data processing
   You have the right to impose a restriction on the processing of your personal data under the following conditions: (1) you contest the correctness of your personal data and give the data administrator sufficient time to verify the correctness of the personal data; (2) the processing of data is illegal and you refuse the deletion of your personal data in question and prefer to request the restriction of the processing of your personal data; (3) The data administrator no longer requests the personal data for the purpose for which they were collected, but you request the data for the purpose of supporting, exercising, or defending legal interests, or (4) you have objected to the processing of data in accordance with Article 21, paragraph 1 of GDPR and a decision has not been made as to whether the legitimate interests of the administrator prevail over yours. If the processing of your personal data has been restricted, these data - with the exception of their storage - can be processed only with your consent, for the purpose of supporting, exercising, or protecting legal interests, to protect the rights of another natural or legal person, or for reasons of important public interest of the European Union or a member state. If the restriction imposed on data processing under the specified conditions is modified, you will be informed by the data administrator before the restriction is lifted.
   4. Right to deletion a) Obligation to delete data
   You can ask the administrator to delete your personal data promptly, and the data administrator has the obligation to delete the respective data without undue delay, provided that one of the following reasons applies: (1) Your personal data are no longer necessary for the purposes for which they were collected or processed by other means. (2) You revoke the consent that forms the basis for data processing under Article 6, paragraph 1, letter a) or Article 9, paragraph 2, letter a) of GDPR and there is no other legal basis for data processing. (3) You oppose data processing in accordance with Article 21, paragraph 1 of GDPR and there are no determining legitimate interests in processing the data, or you oppose data processing in accordance with Article 21, paragraph 2 of GDPR. (4) Your personal data have been processed illegally. (5) The deletion of your personal data is necessary to fulfill a legal obligation provided by EU legislation or by the legislation of the Member States that regulates the data administrator. (6) Your personal data have been collected in connection with the services offered by the information society in accordance with Article 8, paragraph 1 of GDPR. b) Subsequent notification of third parties In the event that the administrator has made your personal data public and is obliged to delete the respective data in accordance with Article 17, paragraph 1 of GDPR, then the data administrator, within the limits of available technology and implementation costs, must take appropriate measures, including those of a technical nature, to inform the data administrators who process personal data in connection with the fact that you, as a data subject, have requested the deletion of all links to these personal data, as well as copies or reproductions of these personal data. c) Exceptions You do not have the right to delete your data to the extent that data processing is necessary for: (1) exercising the right to freedom of expression and the right to information; (2) fulfilling a legal obligation that requires data processing in accordance with EU legislation or with the legislation of the Member States under which the data administrator operates, or for exercising a function of public interest or exercising a public authority conferred on the data administrator; (3) reasons of public interest in the field of public health, in accordance with Article 9, paragraph 2, letters h) and i), as well as Article 9, paragraph 3 of GDPR; (4) archiving purposes that are in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with Article 89, paragraph 1 of GDPR, to the extent that the right provided in point a) is anticipated to make the fulfillment of the objectives of the respective data processing impossible or to significantly impede them, or (5) for the purpose of supporting, exercising, or defending legal interests.
   5. Right to subsequent notification
   If you have exercised your right to correct or delete your data or to impose a restriction on data processing, against the data administrator, then the data administrator must notify all recipients to whom your personal data have been communicated about this correction or deletion of your data or about the imposition of a restriction regarding the processing of your data, except in cases where such action is impossible to carry out or would involve excessive efforts or expenses. You have the right to be informed by the data administrator about these recipients of your data.
   6. Right to data portability
   You have the right to receive your personal data provided to the data administrator in a structured, commonly used format that can be read with the help of a device. At the same time, you have the right to transmit the transfer of this data to another data administrator without the intervention of the data administrator to whom your personal data were initially made available, provided that: (1) data processing is based on consent under Article 6, paragraph 1, letter a) or Article 9, paragraph 2, letter a) of GDPR or on the basis of a contract under Article 6, paragraph 1, letter b) of GDPR and (2) processing is carried out with the help of automated processes. When exercising this right, you are also entitled to have your personal data transmitted directly from one data administrator to another, subject to technical feasibility. This must not prejudice the rights and freedoms of third parties. The right to data portability does not apply to data processing necessary for the fulfillment of a function of public interest or in the case of exercising a public authority conferred on the data administrator.
   7. Right to object
   You have the right to object at any time to the processing of your personal data under Article 6, paragraph 1, letter e) or f) of GDPR for reasons arising from your personal circumstances; this also applies to the creation of profiles by virtue of the same provisions. Then, the data administrator will stop processing your personal data, except in cases where the administrator proves compelling legitimate interests regarding data processing, interests that prevail over your interests, rights, and freedoms, or in cases where processing does not serve to support, exercise, or defend legal interests. In cases where personal data are processed for purposes of direct advertising, you have the right to object at any time to the processing of your personal data for purposes of direct advertising; this also applies to the creation of profiles associated with the respective direct advertising activity. Your personal data will no longer be processed for direct advertising purposes if you object to the processing of data for those purposes. In the context of using information society services and without regard to Directive 2002/58/EC, you can exercise your right to object through automated processes that use technical specifications.
   8. Right to revoke the declaration of consent under data protection legislation
   You have the right to revoke a previously granted declaration of consent according to the law on data protection. The revocation of consent will not affect the legality of data processing carried out before revocation.
   9. Automated individual decisions, including profiling
   You have the right not to be subject to a decision based exclusively on automated processing, including profiling, which produces legal effects on your person or which significantly affects you in a similar way. This does not apply if the decision (1) is necessary for the conclusion or execution of a contract between you and a data administrator; (2) is authorized by the legislation of the Union or of a Member State to which the data administrator is subject and which also establishes appropriate measures for protecting the rights and freedoms, as well as the legitimate interests of the data subject; or (3) is based on your explicit consent. However, decisions must not be based on special categories of personal data in accordance with Article 9, paragraph 1 of GDPR, except in cases where Article 9, paragraph 2, letters a) or g) applies and appropriate measures to protect the rights and freedoms, as well as the legitimate interests of the data subject. In the cases mentioned in points 1 and 3, the data administrator must implement appropriate measures to protect your rights, freedoms, and legitimate interests, at least the right to obtain human intervention from the data administrator, to express your point of view and to contest the decision.
   10. Right to file a complaint with a supervisory authority
   Without prejudice to any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, especially in the Member State where you have your residence, workplace, or where the place of the alleged violation is located if you consider that the processing of personal data relating to you violates GDPR. The supervisory authority with which the complaint was filed will inform the complainant about the status and result of the complaint, including the possibility of a judicial remedy according to Article 78 of GDPR. If you wish to object to the collection, processing, or use of data by SC ROSEN VILLA SRL in accordance with this Data Protection Declaration, either categorically or for individual measures, you can send us your objection by email or by normal postal services to the following contact details:
   
   The Data Protection Officer of SC ROSEN VILLA SRL is:
   Stefan Axente Stroia Manager Rosen Villa Sibiu
   0771 567 173
   office@rosenvillasibiu.ro