GDPR Compliance Statement

Last updated: April 28, 2025

Your Data Security Matters to Us

At Hotels of Romania, we are committed to protecting your personal data and ensuring your privacy rights. This statement outlines our approach to GDPR compliance and how we safeguard your information.

1. Our Commitment

Hotels of Romania ("we", "us", or "our") is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognize our obligations in updating and expanding this program to meet the demands of the General Data Protection Regulation (GDPR).

We are dedicated to safeguarding the personal information under our control and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the GDPR. This statement outlines how we approach data protection and our GDPR compliance measures.

2. GDPR Principles

We adhere to the principles of the GDPR, which require that personal data shall be:

1. Lawfulness, Fairness and Transparency

Processed lawfully, fairly and in a transparent manner in relation to individuals.

2. Purpose Limitation

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Data Minimization

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Accuracy

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.

5. Storage Limitation

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

6. Integrity and Confidentiality

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

7. Accountability

The controller shall be responsible for, and be able to demonstrate compliance with, the GDPR principles.

3. Data Subject Rights

Under GDPR, we recognize and respect the rights of data subjects (individuals whose personal data we process). These rights include:

Right to be Informed

We provide clear and transparent information about how we use personal data through our Privacy Policy.
We inform data subjects at the point of data collection about the purposes of processing, retention periods, and who the data will be shared with.

Right of Access

Data subjects have the right to obtain confirmation that their data is being processed.
Data subjects can request a copy of their personal data and other supplementary information.
We will provide this information within one month of receipt of the request.

Right to Rectification

Data subjects have the right to have inaccurate personal data rectified, or completed if it is incomplete.
We will respond to such requests within one month.

Right to Erasure (Right to be Forgotten)

Data subjects can request the deletion or removal of personal data where there is no compelling reason for its continued processing.
We have processes in place to ensure we can respond to these requests within one month.

Right to Restrict Processing

Data subjects have the right to block or suppress the processing of their personal data.
When processing is restricted, we are permitted to store the personal data, but not to process it further.

Right to Data Portability

Data subjects can obtain and reuse their personal data for their own purposes across different services.
We provide personal data in a structured, commonly used, and machine-readable format.

Right to Object

Data subjects can object to processing based on legitimate interests or for direct marketing purposes.
When an objection is raised, we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing.

Rights Related to Automated Decision Making and Profiling

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.
We ensure that any automated decision-making systems have appropriate safeguards in place.

How to Exercise Your Rights

If you wish to exercise any of these rights, please contact our Data Protection Officer at dpo@hotelsofromania.com. We will respond to your request within one month. There is no charge for making a request, but we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

4. Data Protection Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of personal data: We use industry-standard encryption technologies to protect personal data during transmission and when stored.
Ongoing confidentiality, integrity, availability and resilience of processing systems and services: We have implemented systems and procedures to ensure that our data processing systems maintain confidentiality, integrity, availability, and resilience.
Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: We maintain comprehensive backup and disaster recovery procedures.
Regular testing, assessing and evaluating the effectiveness of technical and organizational measures: We regularly test and evaluate our security measures to ensure they remain effective.
Staff training and awareness: All employees are provided with data protection training and are required to follow our data protection policies and procedures.
Data protection by design and by default: We consider data protection issues as part of the design and implementation of systems, services, products, and business practices.

5. Data Breach Procedures

We have implemented comprehensive procedures to detect, report, and investigate personal data breaches. In the event of a data breach that poses a risk to the rights and freedoms of individuals, we will:

Notify the relevant supervisory authority (The National Authority for the Supervision of Personal Data Processing in Romania) without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

6. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure that adequate safeguards are in place. These may include:

Transfers to countries that have been deemed to provide an adequate level of protection by the European Commission.
Transfers subject to appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, Binding Corporate Rules, or approved codes of conduct or certification mechanisms.
Transfers based on specific derogations provided for in the GDPR, such as explicit consent or contractual necessity.

7. Data Protection Impact Assessments (DPIAs)

We carry out Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of individuals. Our DPIA process includes:

A systematic description of the processing operations and purposes.
An assessment of the necessity and proportionality of the processing.
An assessment of the risks to the rights and freedoms of data subjects.
The measures envisaged to address the risks and demonstrate compliance with the GDPR.

8. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. The responsibilities of our DPO include:

Informing and advising the organization and employees about their obligations under the GDPR.
Monitoring compliance with the GDPR and internal data protection policies and procedures.
Providing advice on Data Protection Impact Assessments.
Cooperating with the supervisory authority.
Acting as a contact point for the supervisory authority.

Our Data Protection Officer can be contacted at:

Email: dpo@hotelsofromania.com
Phone: +40 21 310 5588
Mail: 23 Hoteliers Boulevard, District 1, Bucharest, Romania

9. Training and Awareness

We provide regular data protection training for all employees. This includes:

Initial training for new employees.
Regular refresher training for existing employees.
Additional specialized training for employees with key data protection responsibilities.
Updates on new data protection developments and changes to our policies and procedures.

10. Documentation and Records of Processing Activities

We maintain detailed records of our processing activities as required by Article 30 of the GDPR. These records include:

The name and contact details of our organization and, where applicable, the data protection officer.
The purposes of the processing.
A description of the categories of data subjects and personal data.
The categories of recipients to whom the personal data has been or will be disclosed.
Transfers of personal data to third countries or international organizations.
The envisaged time limits for erasure of the different categories of data.
A general description of the technical and organizational security measures in place.

11. Compliance Monitoring and Review

We continuously monitor our GDPR compliance and regularly review our data protection policies and procedures to ensure they remain effective and up-to-date. This includes:

Regular audits of data processing activities.
Reviews of data protection policies and procedures.
Updates to reflect changes in law, guidance, or best practice.
Engagement with industry bodies and data protection authorities.

12. Contact Information

For any queries about our GDPR compliance or to exercise your rights as a data subject, please contact our Data Protection Officer at:

Email: dpo@hotelsofromania.com
Phone: +40 21 310 5588
Mail: 23 Hoteliers Boulevard, District 1, Bucharest, Romania

Or our general contact details:

Email: info@hotelsofromania.com
Phone: +40 21 310 5588
Mail: 23 Hoteliers Boulevard, District 1, Bucharest, Romania

You also have the right to lodge a complaint with the supervisory authority, The National Authority for the Supervision of Personal Data Processing in Romania (ANSPDCP), if you believe that our processing of your personal data infringes the GDPR.