Privacy and Data Protection Policy

Last update: June 2022

This policy details APARTAMENTE FAGARAS S.R.L. practice regarding the processing of personal data through the domain (hereinafter briefly, generically, the Website or Site) and is intended to inform users about this subject.

By using the Website below, you acknowledge that you have become aware of and agree to this Privacy and Data Protection Policy, and also to the Cookie Policy and also the Terms and Conditions published on the Site.

1. Identification of the data controller

Reg. com.: J08/8/2021
CIF: 43515973

2. Contact details in the field of personal data protection

The Company collects information from the traffic reports recorded by the servers hosting the Site, as well as through cookies.

Information obtained from the traffic reports recorded by server:When a website is accessed, users automatically disclose certain information, such as the IP address, the time of the visit, the place where the website was accessed. The Company, like other operators, registers this information.

Information obtained through cookie: All details on how data is processed in this context, are indicated in the Cookie Policy available on the Website.

The contact details that the visitor can use to transmit any requests, notifications or claims regarding this Privacy and Data Protection Policy, as well as in the Terms and Conditions and the Cookie Policy, as well as any other information published on the Site, policies or operations performed by the Company, are indicated at point 1 above.

The deadline for the Company to send a response is no more than 30 days from the receipt of the request.

3. Data subject

Given that the Company processes personal data of visitors / users of the Site, they hold the status of data subject and declare that they are over 16 years old.

If the information / requests transmitted by the users also concern personal data relating to other persons (those persons hence acquiring the status of data subject), the Company shall process their data strictly in order to be able to respond to that information / request.

4. Processed personal data

Any information regarding an identified or identifiable natural person, respectively the data subject, can be considered as personal data.

Considering the processing purposes indicated herein, the Company tries to reduce as much as possible the personal data processed.

Thus, according to the Cookie Policy, the data subject shall be able to choose the types of cookies (applicable where their use is not automatically made for the functioning of the Site) by checking a box, in order to ensure a more complete and better experience when browsing the Site.

Depending on the cookie settings, other data can be processed (especially those related to user preferences and behavior on the Site).

5. Processing of personal data

It represents the processing of personal data, any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means.

The Company accesses, collects, uses and performs any other actions allowed by the applicable law on the personal data provided by visitors, within the limits indicated at point 4 above.

6. Purpose

The visitor of the Website is the person who accesses this page and whose personal data are processed for different purposes (respectively you). Those purposes are:

• For the personal data provided by the traffic reports recorded by server:
◦ identification of the sections of interest of the Site
◦ safer administration of the computer system and the Site

• For the personal data provided by the use of cookies:
◦ functioning and smooth operation of the Site (needed cookie)
◦ depending on the settings chosen by the user, additional personal data can be used for obtaining statistical information that allows to improve the offered services, saving preferences, advertising etc. All details regarding this type of data processing can be found in the Cookie Policy.

• For personal data provided in the contact form:
◦ name, e-mail address, address, telephone number, information for payment, date of birth, current location (in the case of on-demand services), names of people traveling with you and any preferences related to the stay (such as food and accessibility requirements). In some cases, we will ask you to provide information from your ID / passport or a driver’s license, as well as signatures.

If the Company intends to subsequently process the personal data for a purpose other than those indicated above, it shall provide the data subject prior to such further processing, additional relevant information regarding the secondary purpose, by completing the necessary formalities according to the law.

7. Recipients of the processing

The personal data shall be provided to:

• the support service providers contracted by the Company in order to fulfill its contractual or legal obligations, such as:
◦ the IT company – can access all the data recorded in the Company’s online records, including those of the users;
◦ the lawyers of the Company – can access all data recorded in the Company’s records, including those of the users, in case of legal issues that require their involvement;
◦ advertising, PR and communication companies for the marketing activity. These companies may collect data through cookies or through the registration forms for the event or feedback, and to the extent that this happens, the Company shall provide this information to the data subjects in advance and obtain their consent where needed;

The list of suppliers listed above is not exhaustive, but it does indicate the main such collaborating companies. They shall have the capacity of independent controller, joint controller or processor in relation to the Company – depending on the factual situation and the contract’s clauses. However, regardless of the quality held, they are obliged to maintain the confidentiality and security of the personal data of the data subject, adopting appropriate technical and organizational measures. Upon request, the main clauses of those contracts can be communicated to the data subject.

Although they are not considered as recipients of personal data under the legal provisions, public authorities (including the fiscal authority and the consumer protection authority) and the courts of law may process all/any of the personal data obtained by means of the Site.

8. Legal ground for processing (6 letter a GDPR)

• the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes;
• the processing is necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject before the conclusion of a contract;
• the processing is necessary in order to comply with a legal obligation to which the operator is subject;
• processing is necessary to protect the vital interests of the data subject or of another natural person;
• the processing is necessary for the performance of a task performed in the public interest or in the exercise of official authority conferred on the controller;
• processing is necessary for the legitimate interests of the controller or a third party, unless such interests are subject to the interests or fundamental rights and freedoms of the data subject who require the protection of personal data, in particular where the data subject is a child.

9. Type of processing

Data processing activities performed by the Company, mainly refer to:

• use of data for providing feedback and answers to the messages transmitted by the user;
• use of data for the conclusion and execution of the contract;
• use of data for the purpose of each category of cookies chosen by the User;
• collecting other unsolicited data if provided by the data subject (user) in a communication, request or complaint addressed to the Company, so that it can respond and solve the request or remedy the incident;
• storing personal data according to the law and within the limits necessary to achieve the purpose, in the electronic and secure database held by the Company;
• allowing access to personal data to certain employee and external collaborator who provide support services for the Company, whose activity involves the processing of personal data under the condition of undertaking the obligation of confidentiality;
• allowing access to personal data to the competent authorities, insofar as the law obliges.

10. Processing and storing of data duration

The storage period of the personal data collected, is:

• until the withdrawal of the consent or the exercise of the right to data erasure (right to be forgotten) of the user – for the processing of personal data based on the consent of the data subject within the limits indicated by art. 17 of the EU Regulation no. 679/2019;
• a longer period than the abovementioned, when the law regulates in such manner or when there is a well-justified ground for this action (for example, to exercise a right before the court in a litigation started before the expiry of the storage period indicated herein). ).

Upon expiry of the aforementioned periods, all data shall be deleted from the Company’s records.

11. Rights of the data subject

a). The right to be informed

The internal regulations and policies of the Company are always available to the data subject, being posted on the Site. See in this regard the present policy, the Cookie Policy and the Terms and Conditions.

The Company reserves the right to modify / update the content of the Site, including the policies to which references are made, at its sole discretion, at any time and for any reason (including but not limited to the occurrence of legislative or jurisprudential changes that may affect the consequences to those published on the Site). The revision of this policy in the future shall be signalled by modifying the “Last updated” date at the top of this document. After the date the updated policy is published, accessing the Site shall represent the user’s acceptance of these updated conditions.

However, if there shall be significant changes that could affect the rights and freedoms of the users or if it shall become obligatory to obtain their consent, informing them about these changes shall be made by easily visible indications posted on the Site (pop-ups) or by transmitting e-mails to the addresses provided (if applicable). Such significant changes shall have effects for users within 15 days from the time of the posting the pop-up in question or of sending the email (how the information shall be made being decided by the Company, by on a case by case basis).

However, regardless of the extent of the change, the responsibility to check the content of the Site (including the Terms and Conditions, as well as the policies displayed), in order to be up to date with the latest versions, shall be entirely the responsibility of the user. Thus, STUDY OF THIS PRIVACY AND DATA PROTECTION POLICY, OF THE TERMS AND CONDITIONS AND THE COOKIE POLICY, SHOULD BE MADE BY USERS WHENEVER THEY ACCESS THE SITE AND BEFORE MAKING ANY REGISTRATION OR PROVIDING ANY DATA, WHEREAS CHANGES CAN APPEAR.

Upon request, the data subject shall be informed about the essence of the contracts concluded with the above mentioned recipients of personal data where possible, and also of the data source.

b). The right of access the personal data processed

If the data subject wishes to receive information regarding the processing of data performed by the Company, he/she can send a request to the Company, and a response shall be provided within 30 days as of reception.

c). The right to data rectification

If the data subject wishes to rectify / amend the inaccurate / incomplete personal data concerning him or her as provided to the Company, he / she can send a request to the Company, and a response shall be provided within 30 days as of reception.

d). The right to data erasure (right to be forgotten)

The data subject shall have the right to obtain the erasure of personal data concerning him/her:

• at the expiration of the processing duration;
• if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• if the data subject withdraws his / her consent on which the processing is based and where there is no other legal ground for the processing;
• if the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• if the processing is illegal, the personal data being unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation.

The exceptional cases provided in art. 17 paragraph 3 of the European Regulation no. 679/2016 are applicable.

Some data are part of the Company’s records, which it keeps in relation to its legal obligations or its legitimate interest. Therefore, not all data can be erased, according to the law. However, any refusal to delete the data shall be motivated by the Company and shall be based on a clear legal basis.

e). The right to restriction of processing and the right to object

The restriction of processing can be applied if the data subject finds out that:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are not yet deleted and are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The Company may continue processing the restricted personal data if it is necessary to establish, exercise or defend a right in court, or protect/defend a person but only with the consent of the data subject.

The Company shall communicate to the recipients that a rectification, deletion or restriction of the personal data took place, unless it is impossible or it involves disproportionate efforts.

f). The right to data portability

The data subject or a third party indicated by him / her, can receive on request, the personal data processed by the Company. The Company assumes no responsibility for the data processing performed by that third party.

The obligation to ensure the right to portability is the responsibility of the Company only if the processing of the personal data is based on the consent of the data subject or on the conclusion and execution of the contract. The actions shall be taken within 30 days from the receipt of the request.

g). The right to object

The data subject shall have the right to object, on grounds relating to his / her particular situation, at any time to processing of personal data based on the legitimate interest of the Company (including profiling).

Regardless to the above, if the Company demonstrates well justified legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, the processing of data can continue.

h). The right to submit a claim

The data subject may submit:

• a request / a claim using the contact data of the Company, as indicated at art. 1 above;
• an action before the competent court;
• a complaint before the Romanian National Supervisory Authority for the Processing of Personal Data (

However, the Company wishes any conflict/dispute to be resolved amicably and provides all availability in this regard.

i). The right to withdraw the consent given

The data subject may withdraw his / her consent at any time, without however affecting the legality of the processing before the withdrawal nor the one based on another legal grounds.

j). The right to not be subject to an automated decision

The Company does not take any decision based solely on automatic processing of personal data.

12. Main obligations of the data subject

a). Confidentiality

The data subject has the obligation to keep the confidentiality of all personal data with which he / she comes into contact in relation to the Company, for an unlimited period of time.

b). Complying with the data security measures

The data subject shall not process any confidential data or personal data of third parties, unless it is absolutely necessary, confidentiality is ensured and the specific legislation is fully complied with.

In case of breach of the obligations indicated in this art. 12 by the data subject, the Company shall be entitled to obtain from him / her compensation for all the damages suffered.

13. Obligations of the Company. Security measures applicable to the processed personal data

The Company complied with the provisions of the data protection legislation and has implemented appropriate technical and organizational measures to ensure the security of the processed personal data and the rights of the data subjects. Thus, the Company has implemented measures such as:

• the conclusion of contracts with collaborators which have undertook the obligation of confidentiality in relation to the personal data processed, as well as the general obligation to comply with the applicable legislation in the field of personal data protection;
• training the employees and collaborators on the importance of personal data protection, as well as limiting their access to data according to their attributions and competences;
• establishing internal procedures having the purpose of protecting personal data;
• indicating specially contact data which can be used for questions/claims regarding personal data (ie. the one indicated in art. 1 of the present police);
• implementing information security measures;
• not installing structures that allow access to the Site only if a user account is created;
not installing cookies in addition to those necessary for the functioning of the Site and offering the users at all times the possibility to choose the additional cookies accepted.

Also, the Company shall inform the competent data protection authority in the event of a breach concerning data security, without undue delay and, if possible, within 72 hours from the moment it became aware of it, unless it is unlikely to create a risk for the rights and freedoms of individuals. If the notification to the authority shall not be made within the 72 hours, it shall be accompanied by a justified explanation for the delay.

Any statistics regarding the traffic of the users on the Site, which the Company shall provide to third party advertising networks or to other sites, shall have a data set form and shall not include any identifiable information about any individual user.

Unfortunately, no data transmission through the internet can be guaranteed to be 100% secure. Consequently, despite the Company’s efforts to protect users’ personal data, it cannot guarantee or ensure the security of information transmitted by them through the Site. Users are therefore warned that any information sent through the online environment shall be done at their own risk.

To mitigate this risk, one of the measures took by the Company is to offer all interested users the possibility to send requests / addresses / messages in material form, to the Company headquarters, and not necessarily through the “Contact” box.

14. Liability of the Company

The Company’s liability in relation to the data subject shall be established in relation to the quality held in the respective data processing operation, the reason and place of the incident, the security measures taken, the measures took to avoid incidents and the observance of the other legal obligations.

15. Transfer of personal data to third countries/international organizations

The Company does not transfer personal data of the data subjects outside Romania.

16. Final provisions

This policy applies to the Company and to the Site visitors/users (including those who complete the existing forms on the Site).

This document is part of the Company’s set of security policies. Other policies can apply to the topics addressed herein and can be reviewed according to specific needs.