Privacy Policy

Thank you for your interest in our services!

 

 

The security and privacy of your personal data are a priority for us.

In this document you will find our Privacy and Video Surveillance Policy, supplemented by the Cookies Policy. [hyperlink] available on the website.

 

IDENTIFICATION DATA OF THE CONTROLLER. CONTACT DETAILS

 

The controller processing personal data via this website is the company POIANA CAILOR S.R.L, of Romanian nationality, with the registered office in Bucharest, district 6, 333 Calea Giulesti, Building C14, basement, Room 13, having the registration no. with the Trade Register J40/1605/2021, the Tax Identification Number 43649991.

For any requests/suggestions/complaints regarding your personal data and additional information, you can contact us in writing, at the address of our registered office or by E-mail sent to the attention of the Data Protection Officer, to the address ____________________.

 

BASIC CONCEPTS, according to the definitions of European Regulation no.  679/2016 (GDPR)

 

personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

CONTENT AND PURPOSE. SCOPE

 

We hereby provide, for all visitors and users of this website, the information and obtaining of evidence of express/implied consent, deduced from the circumstances of browsing the website and the voluntary transmission of data to us, through the available/displayed communication channels.

The provisions of this document shall apply both to the data processing carried out via this website, and to data processing via third-party sites/means, in the context of which reference is made to them – e.g.: recruitment ads published on third-party websites/data processing via and in the context of online promotional and marketing activities/via social networks – direct/indirect processing via external sources that refer to this Policy explicitly.

 

PERSONAL DATA COLLECTED DIRECTLY VIA THE WEBSITE OR FROM THE ONLINE ENVIRONMENT, IN GENERAL

 

The processed data depends on the section/functionality accessed on the website, as well as on the way and purpose in which you communicate with us via the website:

Data collected via cookies modules, automatically when accessing/browsing in various sections/accessing various functionalities for details, see the Cookies Policy. [hyperlink]

Filling out the contact form available on the website:

surname, first name(s), e-mail address, phone number, gender (as far as it comes implicitly from the name or e-mail address).

Apart from these, the data provided by the data subject voluntarily, without the controller’s request, by filling out the space intended for the message itself (e.g.: the date of birth/age/occupation/position/workplace, provided implicitly in the context of requests for information/offers for events, etc.).

Sending messages of any type or making phone calls to the contact addresses displayed on the website (other than through the contact form):

the contact data related to the chosen means of communication and, possibly, the gender, (as far as it comes implicitly from the name or e-mail address), any data provided in the content of the message itself, the surname and first name(s), the data related to the CVs submitted, data regarding the position held within a company (in the case of company representatives addressing collaboration initiatives), data derived from the nature/purpose of the events for which are requested offers/information; reviews and/or opinions about our services, any other types of information you choose to provide us.

Launching of reservation requests:

surname, first name(s), e-mail address, phone number, reservation date, time of arrival and time of departure, gender (if it comes implicitly from the first name(s)/e-mail address), citizenship, date of birth (if it comes implicitly from the context and/or the data provided).

 

For group reservations – only the data of the person making the reservation is requested, indicating the number of persons in the group and, on a case-by-case basis, the surname and first name(s) of those in the group and/or the age of the minors in the group.

 

In the case of events, as a rule, only the organiser’s data – mentioned above for reservations – shall be collected, to which can be added, unrequested/inherent, data related to the nature and purpose of the event (events dedicated to a specific ethnic group/weddings, baptisms, festive days/position, workplace, occupation, profession in the case of team buildings, profile conferences, etc.). There may be situations where checking the access to the event requires the use of a guest list (surname, first name(s)). After the event, the list will be destroyed.

Launching of reservation requests (the “Reservation Services”)/access to the waiting list (the “Waitlist Services”), the purchase of gift cards (the “Gift Cards”) – directly on the website, via the SUPERBEXPERIENCE platform ­–

Data other than the above, expressly customised, requested from visitors/users to benefit from the “Reservation Services”, “Waitlist Services”, “Gift Cards”, online via the SUPERBEXPERIENCE platform (e.g. bank card data) are not available to Poiana Cailor S.R.L. and are not stored by Poiana Cailor S.R.L. or by the processor integrated in the website, but by Superb ApS, a company established and operating according to the Danish law, registered under no. 39478021, with the registered office in 10 Højbro Plads, DK-1200 Copenhagen, e-mail: support@superbexperience.com. The data collected via the SUPERBEXPERIENCE platform shall be processed in accordance with the Terms and Conditions of Superb ApS [hyperlink], as well as with the Privacy and Cookies Policy of Superb ApS [hyperlink].

Subscribing to the newsletter/joining our online community/activating the marketing cookies used by our website: e-mail – provided voluntarily, associated with a distinct and revocable consent – for details, see the Cookies Policy.

Sending requests/complaints/suggestions regarding personal datasurname, first name(s), gender (as long as it can be deducted from the first name(s) or e-mail), the contact details related to the means of communication chosen or other contact details (if one wishes to receive the answer in another way) and another identification attribute (only under the conditions described below, in the section Requests/complaints/suggestions regarding personal data).

Signing up for promotions, contests and campaignsunder the processing conditions stipulated in the Official Regulation for each event organised by the Controller (on a case-by-case basis).

Visiting and interacting with/Publishing testimonials in the social networks managed by the Controller (Facebook, Instagram, LinkedIn):

own username on the site, public data associated with the personal site, accessible implicitly through the interaction with the website, data contained in the message itself/images/video voluntarily released publicly on these websites, which falls under the consent and liability of the person releasing them.

Such data shall be left on public display/deleted from the site, at the company’s disposal. You can delete at any time/you can ask to delete information associated with/published on our sites.

We do not undertake liability in relation to third-party takeovers from own sites.

Our company does not create separate databases from the data published on these sites but may implicitly use the data collected directly by these third-party sites in audience and marketing analyses (except e-mail addresses provided for by newsletter subscribers).

For more information on the data processing carried out via these sites, you can consult their own Privacy policies.

You can choose at any time what personal data you want to provide us. However, if you choose to provide certain personal data, if the basis of our request is compliance with a legal obligation, contractual obligation or an obligation necessary and/or timely for the conclusion of a contract, we will be unable to provide you certain services.

 

THE GROUNDS AND PURPOSES OF THE PROCESSING

 

Data related to cookiesfor details, see the Cookies Policy [hyperlink]

Data related to the contact form sent via the website and messages of any kind sent to the contact addresses displayed on the website:

  • Grounds – your consent, our legal and contractual obligation, our prevailing legitimate interest.
  • Purpose: for managing, solving, providing answers, investigating, capitalisation of any requests/suggestions/complaints/offers received through the contact forms, for carrying out recruitment procedures, for engaging in negotiations on the received or requested collaboration offers/initiatives, in order to prove compliance in the execution of contracts/compliance with consumer protection law, if the received communication falls within such scopes, in order to defend our legitimate rights and interests in case of correlative differences/disputes, for submission to the authorities upon request/as needed, etc.

Data related to online services – “Reservation Services”, “Waitlist Services”, “Gift Cards”:

  • Grounds: your consent, our contractual/legal obligations, our prevailing legitimate interest.
  • Purpose: to ensure the reservation/registration, to ensure the execution of the mutually undertaken contractual commitments, to ensure the execution and prove the compliance of the service and the activity carried out according to the relevant legislation to the nature of the service/activity and the consumer capacity of the beneficiary of the service/product, in order to defend the legitimate rights and interests in case of correlative differences/disputes regarding the context of the conclusion, execution/performance, termination of contracts, to be presented during the inspections carried out by the state authorities and institutions, to be provided to the authorities according to their provisions.

Data related to newsletter subscription/adherence to online marketing communications:

  • Grounds: your consent, out legal obligations to prove the compliance of the processing, out prevailing legitimate interest.
  • Purpose: to present and promote our products, services, collaborators, events and to build and maintain a community around common values, to defend our legitimate rights and interests in case of correlative differences/disputes, to be presented in case of inspection/at the request of the public authorities.

Data related to requests/complaints/suggestions regarding personal data:

  • Grounds: our legal obligation to respond to and adopt the necessary measures, our legal obligation to produce and keep evidence of processing compliance, our prevailing legitimate interest.
  • Purpose: to ensure the effective exercise of your legitimate rights and interests regarding data processing, security and privacy and to fulfil our obligations and ensure the prevailing legitimate interest to avoid sanction by the supervisory authority, to defend our legitimate rights and interests in case of correlative differences/disputes, to be presented to an/in case of inspection by the public authorities/upon their request.

Data related to promotions, contests and campaigns:

  • Grounds: your consent, our legal obligations, our prevailing legitimate interest.
  • Purpose: to promote our products and services this way, to ensure the execution and prove the compliance of the activity carried out within these events/actions, according to the relevant legislation, to prove the compliance of the processing carried out in these contexts to defend our legitimate rights and interests in case of correlative differences/disputes, to be presented during the inspections carried out by the state authorities and institutions, to be provided to the authorities according to their provisions.

Data related to testimonials/interactions in social networks:

  • Grounds: your consent, our legal obligations to prove the compliance of the processing, our prevailing legitimate interest.
  • Purpose: to promote our products, services, collaborators, events, through the positive feedback from former customers, to adjust our marketing approaches, to permanently improve our products and services, the development of collaborations of any kind, security and privacy measures and policies, to defend our legitimate rights and interests in case of correlative differences/disputes, to be presented in case of inspection/upon the request of the public authorities.

 

DURATION OF THE PROCESSING

 

For the data collected involuntarily/unrequested by the controller and for which it has no legal grounds for processing, such data are deleted as soon as the collection is established, without informing the data subject in this regard.

The data provided through the contact form/means of communication displayed on the website:

  • Not followed by the signing of a contract between the parties, it is kept for a period of 1 year from the provision of an answer to the communication/1 year from the receipt of the request to which no answer was provided;
  • Followed by the signing of a contract between the parties, it is kept for the duration provided below for contracts.

The data related to reservations/signing of contracts/resolving of issues related to them via the website/third profile sites/communication channels available via/displayed in the online environment are kept for a maximum of 5 years after the termination in any way of the relations between the parties, with the possibility of extension until the settlement of the differences that would arise in connection with them.

The data related to the CVs sent for the purpose of recruitment are kept for the duration of the recruitment process and for a period of 1 year from the date of completion of the process without recruitment of the data subject, if the latter has given its consent.

The CVs of the employed persons will be attached to their personal files (as employees) and will be kept for the duration of the contract, and after the termination of the employment contract in any way, they will be kept for a period of 75 years according to the legal term.

The CVs submitted voluntarily, outside the recruitment process, not followed by recruitment, will be deleted within one month of receipt. The company can contact you in this interval in order to give consent to keep them for 1 year, for possible subsequent recruitment procedures.

For data processed for marketing purposes and for those from interactions in social networks, the retention period is until the withdrawal of the consent of the data subject/until the resolution of the data erasure/until the related Cookies are deactivated, as the case may be.

For the data related to the documents through which the controller can prove the compliance of the processing in front of the ANSPDCP – The National Supervisory Authority for the Processing of Personal Data  (suggestions/complaints/requests of the data subject made personally or by proxy, proof of the method of settlement, obtaining consent, and so on) the retention period is of 3 years from the production/completion of said procedures, regardless of the duration established for the processing for basic purposes, strictly for the purpose that the controller can prove, if necessary, before the A.N.S.P.D.C.P., the performance of a compliant processing and the compliance with the rights of the data subject/for the application of sanctions to those who are guilty of non-compliance with the rights of the data subject.

For the data contained in the payment and/or financial/accounting documents, the retention period is of 5 years from the termination in any way of the relations between the parties/final settlement of the differences between the parties or for longer periods, according to the fiscal-financial-accounting legal obligations of the company (including for data covered by internal inspections/in audit).

 

DATA RECIPIENTS. INTERNATIONAL DATA TRANSFER

 

As a rule, the company will disclose the data covered by this document strictly to authorised internal employees and collaborators, limited and justified, to external collaborators, acting either as outsourced departments (HR, Marketing)/or as service suppliers and providers, interposed in the contracts that you conclude with the company.

All these recipients have previously signed commitments and data processing agreements, so that appropriate security and privacy measures for your data are implemented and met.

The company does not transfer data to other countries.

This website presents inputs and references to third-party sites and social networks, which are either not under our control or management, or are, but to a limited and circumstantial extent.

These sites can transfer data to member states or outside the EU without our consent or restriction.

For more details, please access the privacy policies related to these sites and networks.

 

SECURITY AND PRIVACY OF YOUR DATA

 

We treat your data and requests regarding them with due importance.

In this regard, we implement appropriate technical, organisational and legal measures for their security and privacy, including:

  • We apply internal policies and procedures, based on prior risk assessment;
  • We train the staff involved in the processing and hold the external recipients of your data responsible through specific contractual clauses;
  • We carry out the physical/computer transfer of data according to the specific security rules;
  • We secure data storage spaces, both physically and digitally, according to their nature;
  • We periodically ensure the specialised review of the workstations and the security programs used;
  • We periodically review security measures and sanction violations;
  • We treat security breaches promptly and in accordance with the law.

 

THE RIGHTS OF ANY DATA SUBJECT

 

The right of access – the right to obtain our confirmation as whether or not personal data concerning you are being processed, and, where that is the case, access to said data and to information regarding the manner in which they are processed.

The right to data portability – the right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, but only if this is technically feasible.

The right to object – the right to object the processing of personal data. When data processing is aimed at direct marketing, you have the right to object the processing at any time. Depending on the circumstances, the objection to processing may lead to the impossibility of providing services/providing answers for which there are other grounds for collection/termination of the contracts concluded with the company.

The right to rectification – the right to request and obtain, without undue delay, the correction of inaccurate data/data updates/completion of incomplete data. The company will be able to update data on its own initiative.

The right to data erasure (“right to be forgotten “) – if one of the following grounds applies:

  • the data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you exercise the right to withdraw consent and there are no other legal grounds for processing;
  • you object to the processing and there are no overriding legitimate reasons;
  • the personal data has been unlawfully processed;
  • the personal data has to be erased to comply with a legal obligation.

The right to restriction of processing – the right to request the marking and limited processing of the data without obtaining the erasure of the data, in the following cases:

  • the accuracy of the data we process is contested, for a period enabling the verification of the accuracy of the data;
  • the processing is illegal, and the data subject objects to the erasure of the personal data and requests the restriction of their use instead;
  • the company no longer needs the personal data for the purposes of processing, but the data subject requests them for establishing, exercising or defending a right in court;
  • you object the processing for the period of time pending verification whether the legitimate grounds of the company override your rights as data subject.

The right to lodge a complaint with the National Supervisory Authority for the Processing of Personal Data, if you consider that the company violates the legal provision in the matter of data processing.

The right to resolve your requests/suggestions/complaints regarding personal data within a reasonable period and to be informed on any measures adopted/the failure to adopt measures in relation to the request.

The right to be informed in the event of a breach of your data security, of the nature of putting your rights and interests at high risk, with the exceptions laid down by law.

 

REQUESTS/COMPLAINTS/SUGGESTIONS REGARDING PERSONAL DATA

 

Any requests/complaints/suggestions regarding personal data will be addressed in writing, to the e-mail address indicated in the first part of this document and with the provision of a contact address to which the answer/related information can also be communicated in writing. The same will be done in the case of requests/communications related to previous requests/complaints/suggestions.

When addressing any request/complaint/suggestion, the applicant will identify himself/herself appropriately, in order to prevent the compromise of data privacy, the adoption of measures at the request of wronged/unauthorised persons or the endangerment/violation in any way of the legitimate rights and interests of the data subjects in relation to the data for which the request is made.

In the case of requests made by proxy, the appropriate identification of the proxy and the verification of its capacity will be carried out (including directly from the data subject).

The requests sent by phone or the requests in which the only contact detail available is the phone number of the data subject will not be taken into account, until they are sent in writing, under the conditions previously mentioned.

If the request is made under conditions raising a suspicion to the controller regarding the identity of the applicant or regarding the legal nature of the request, the controller may suspend the solution until the provision of additional reasonable information/data in order to confirm the identity and/or capacity of the applicant.

We subordinate these requirements to our legal obligation and our legitimate interest to prove compliance with your rights according to the GDPR and all legal rules in the field of data protection.

Any request/suggestion/complaint shall be resolved within a reasonable period of a maximum of 30 days of its receipt.

This term can be extended by two months when necessary, taking into account the complexity and number of requests, with the justified information of the data subject on the reason for the extension of the 30-day term.

The answer and/or any communications required by the specifics of the request will be sent in writing to the data subject or his/her proxy, in the manner in which the controller received the request or in another written way, expressly and reasonably requested by the data subject/by his/her proxy.

 

 

THE VIDEO SURVEILLANCE POLICY

 

Making a firm reservation/Contracting of services/Showing at and the transit through the supervised locations specified below for any purpose/attending events at the supervised locations represents your acceptance of the provisions of this document.

 

  1. THE SUPERVISED LOCATIONS AND PREMISES

 

For your safety and comfort, Singureni Manor venue, located in Singureni Commune, Giurgiu County is monitored by means of video surveillance.

The image capture devices are located as follows:

  • the entry and exit points of the Singureni Manor premises;
  • parking lot(s);
  • front desk of accommodation units/restaurant;
  • the stairs and access halls (common/public) of the buildings where accommodation/restaurant services are provided;
  • external spaces required by the minimum necessary security surveillance;
  • in the vicinity of certain areas of major importance, which require additional security, such as areas where sums of money are kept, the access area to the video surveillance camera, areas where dangerous/flammable substances are stored, the maid area, certain offices, bar and restaurant(s) area, warehouses, etc.

At the same time, for the security of goods, persons and information, video surveillance is carried out at the company’s registered office. The image capture devices are located in the access area of the premises, in the access areas to the rooms where valuables, personal data and confidential information are stored.

The cameras work 24 hours/day, 7 days/week.

The supervised areas are signalled according to the supervised locations.

There is no monitoring of the public perimeter adjacent to the premises.

Areas likely to provide higher degree of discretion are not monitored, such as accommodation rooms, bathrooms and, as a rule, offices.

 

  1. THE IDENTIFICATION DATA OF THE CONTROLLER. CONTACT DETAILS

The controller processing the personal data collected via the means of video surveillance is the company POIANA CAILOR S.R.L, identified above.

For any requests/suggestions/complaints regarding your personal data and additional information regarding video surveillance, you can contact us in writing, at the address of our registered office or by e-mail, to the address provided in the first part of this website, to the attention of the Data Protection Officer.

 

  1. THE DATA COLLECTED

 

It is collected exclusively:

  • the visual image and registration number of cars, at the Singureni Manor venue
  • the visual image of the data subject, at the registered office,

correlated with the date and time the image was captured.

There is no voice recording.

The systems are not interconnected with databases that allow the direct identification of those captured in the images/based on the registration number.

 

  1. THE LEGAL FRAMEWORK. THE GROUNDS AND PURPOSES OF PROCESSING

 

We collect and process your personal data based on the following regulatory acts:

  1. a) Law no. 333/2003 regarding the security of objectives, goods, valuables and the protection of individuals, as subsequently amended and supplemented;
  2. b) Government Decision no. 301/2012 on the approval of the Methodological Norms for the application of Law 333/2003 regarding the security of objectives, goods, valuables and the protection of individuals;
  3. c) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regarding to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  4. d) The Instructions of the National Supervisory Authority for the Processing of Personal Data and of the authorised European working groups.

 

The grounds and purposes of processing are:

  • the legal obligation to safeguard and protect individuals, goods and information; allowing prompt investigations/interventions in case of security/safety incidents;
  • the legal obligation to secure personal data (e.g.: verifying access to data storage spaces);
  • to protect the essential interest of the data subject or of another natural person, even more so in the epidemiological context of Covid-19 (e.g.: in the course of epidemiological investigations, to determine the cause/source of an infection or contamination, etc.);
  • prevailing legitimate interest
    • to supervise the way employees perform their work and exercise the rights recognised by law within the framework of employment relationships (e.g.: carrying out disciplinary investigations, compliance checks with work procedures in case of incidents)
    • to maintain a high level of quality in the provision of services, by anticipating the needs of customers, supervising the current needs of maintenance, cleaning, guidance or assisting customers.

 

  1. THE DURATION OF PROCESSING

 

As a rule: 30 calendar days from collection, with subsequent automatic erasure.

Circumstantial: until the final resolution of the incident for which a recording is required as evidence/for the duration imposed by the authorities.

 

  1. THE DATA RECIPIENTS. INTERNATIONAL DATA TRANSFER

 

As a rule: only expressly nominated recipients – the management and employees/collaborators with duties in the supervision and security control and safeguard.

Circumstantial:

  • authorities/agents of public force in case of incidents, as needed or upon their request;
  • employees/collaborators in charge for technical-IT interventions on the system (in the sense of implicit access/need for verification or quality processing of images, etc.);
  • legal service providers involved in promoting/defending our legitimate rights and interests.

We do not transfer data outside Romania.

 

  1. SECURITY AND PRIVACY OF INFORMATION

 

We ensure the security and privacy of your data collected via video cameras through specific measures:

  • The surveillance is carried out based on a specific risk assessment, reviewed periodically and as needed;
  • We implement a Policy and specific Procedures in this regard;
  • We ensure the transparency of the processing, by displaying this Policy on the website, by its availability at the front desk of the accommodation units/bar/restaurant, by information and appropriate display at the venue;
  • The data storage media is located in secure spaces and access to the databases is computer-secured;
  • Those involved in the processing are properly trained, undertaking specific duties and liabilities;
  • The technical-IT interventions and safeguards are carried out by specialised staff;
  • We monitor the way in which such data is processed and we sanction acts of violation of internal security and privacy rules;
  • We act promptly, according to the law, in case of breaches and security incidents.

 

  1. THE RIGHTS OF THE DATA SUBJECT

 

In relation to all your data captured by the surveillance cameras, you can exercise the rights listed above, within the General Privacy Policy and under the conditions laid down by it.

Please keep in mind that, in this case, in most cases, the exercise of the above rights can have a favourable result only to the extent that a request/complaint is launched within the standard data retention period.

In the context of exercising your rights regarding the data collected via cameras:

  • We will comply with a data transfer/erasure request strictly if other persons’ data can be separated/made confidential appropriately and at reasonable costs;
  • The right to rectification – mainly, inapplicable in relation to the specifics of the processing.

 

 

Version 1.1, published on 28 Sept 2022.

 

 

BOOK NOW