COMPLEX HOTELIER PARC SA guarantees the security and confidentiality of data hosted and transmitted through its computer system. This information may be used by COMPLEX HOTELIER PARC SA to send the user confirmation of orders, various special offers, promotions, etc. only with the consent of the person concerned.
The provision of personal data to COMPLEX HOTELIER PARC SA does not imply any obligation on the part of the users, and they may refuse to provide these data in any circumstances and may request their deletion from the database free of charge.
COMPLEX HOTELIER PARC SA, owner of the online platform, does not intervene directly or indirectly on the databases where customer information is stored.
In order to make possible the invoicing, dispatch and delivery of orders placed, the user must agree that COMPLEX HOTELIER PARC SA collects and processes the data entered, in accordance with the requirements of Law no. 679/2016 (GDPR).
In accordance with the requirements of Law no. 679/2016 (GDPR) for the protection of individuals with regard to the processing of personal data, and the protection of privacy in the electronic communications sector, COMPLEX HOTELIER PARC SA is obliged to manage safely and only for the specified purposes, the personal data provided.
In this regard, COMPLEX HOTELIER PARC SA has developed a series of technical and organizational measures to prevent risks that may arise in the processing of personal data.
The processing of personal data within the organization is conditioned by a series of technical and organizational measures in order to secure them.
These measures are designed to protect information at the organisational level against security incidents.
At the level of the organisation, the following security measures have been taken to reduce risks:
– SSL Certificate – is designed to secure the exchange of information over the Internet. It encrypts the information before it travels over the Internet. Encrypted information can only be decrypted by the server to which it is addressed. This guarantees that information submitted to a website/online platform will not be stolen, intercepted, processed.
Bank card information, passwords and generally any information that is intended to remain private is secured by this certificate.
- SSL certificate of the online platform
HOTEL COMPLEX PARC SA
is also used for securing e-mail correspondence, so that the personal data of customers circulate in a secure environment and regulated by a series of security measures that ensure the confidentiality of information.
- Automatic back-up – set at a time interval to guarantee the information and for all customers to be sure that the information and preferences provided by them do not disappear and are not destroyed, lost or incorrect in case of a server failure.
- Anti-spam and anti-virus filters that prevent the infiltration of malicious content or viruses that may process data in an unauthorised manner or transmit it to other entities or persons who have not obtained the data subject’s consent.
- Protect the content of the customer profile by introducing a more complex password generation rule. The customer is asked, when creating the account, for a password that meets a higher complexity criterion (alphanumeric + special characters);
- Securing modules and scripts that communicate within the platform. It constantly checks the functioning of the elements involved in client-server, server-client interaction.
- Verification and optimization of modules This measure prevents the identification of global vulnerabilities in the platforms used, 0-day vulnerabilities that can intercept the exchange of data and therefore personal data in the interactions of the client with the platform or of the process owner with the client and the platform.
- Classification of access types by the process manager – administration groups, possibility to add or delete certain rights on a user with full access – customization of access according to need.
- Password protection of the device on which the process owner performs data processing to prevent unauthorised intervention.
- Firewall – software program and hardware component installed in the server location of the company offering the hosting of the online platform, are intended to protect the server and network equipment against computer attacks, unauthorized intrusion attempts, installation of malicious software applications that may jeopardize the personal data of platform users. The firewall blocks unauthorized persons from accessing information stored on the
equipment connected to the Internet.
- Access to data processing systems where personal data is processed is only possible after the authorized person has been successfully identified and authenticated (e.g. with username and password or chip/PIN card), using the best security measures. In the absence of authorisation, access is refused.
- All access attempts, both successful and unsuccessful, are logged (user ID, computer, IP address used) and archived in an audit-compliant format for 3 months. In order to detect misuse, the server performs repeated, random checks;
- Access is blocked after repeated incorrect login attempts.
- Constant checking of platform vulnerabilities, which could allow the extraction of personal information and data. The hosting has security measures and solutions that recurrently scan the processed files and data flow circulating within the platform;
- Combat the risks of security breaches by taking technical and organisational precautions by securing the platform and constantly updating it with stable versions.
- Password security of equipment that has direct access to the order table and customer delivery/billing data to prevent unauthorised access and therefore unauthorised processing by unauthorised persons.
- Destruction of documents that are no longer needed (notes, erroneous invoices, etc.) using a document shredder at the disposal of the process manager;
- Eliminate the risk generated by the human factor by prohibiting the processing of information outside the secure platform with the exception of the preparation of transport notes in the courier company’s platform, which is also a secure environment;
- Adoption of security measures without differentiating between types of customers (new/existing/potential);
- Adoption of an internal policy of verification of processes and processing at the time of product delivery or information retrieval regarding an order or possible offer;
- Avoiding differentiation between clients through mechanisms that can positively or negatively profile the targeted person. For this reason, we do not ask for personal data on sexual orientation, sexual interests, gender, religion, membership of movements or groups, etc. Customers are free to order and choose what they want. With this measure, we consider that we respect the integrity of the person and avoid any trace of analysis/profiling based on these criteria.
- Informing customers about the delivery, return and order processing procedure;
- Train the process owner on the risks of processing personal data outside the online platform.
- Train the process owner on the need for notification in the event of a major security incident.
- Training of the process manager on how to handle situations that may occur when processing data within the platform (errors, user errors).
- Training the process owner on the use of the information they process and awareness of the nature of personal information;
- Prohibiting data processing outside the platform by managing orders directly in the user interface of the platform, not requiring data processing in other insecure and vulnerable environments.
- The process owner is regularly trained on:
- Data protection principles, including technical and organisational measures
- The requirement to maintain the secrecy of data and confidentiality of the organization’s secrets and trade secrets, including transactions;
- Correct, careful use of data, data media and other documents;
- The secret of telecommunications;
- Other specific confidentiality obligations where necessary;
From the point of view of processing, within COMPLEX HOTELIER PARC SA, personal data are processed only for the purposes for which the data subject’s consent has been obtained, including for parallel purposes and for the conclusion of a contract or the delivery of a product to the customer requested by the latter.
As this organization operates mostly online, the processing of personal data of customers is transmitted online through the applications and platform on which orders and requests for quotation are requested. The data collected is minimized and is directly related to the purpose for which consent was obtained and is necessary to contact the customer in the case of a request for an offer or to deliver and provide the product/service ordered as required or its return.
COMPLEX HOTELIER PARC SA legal entity registered at the Trade Register(J28/677/1995, CUI RO7836012) is a direct operator. The purpose of processing personal data is the provision of products and services through the online platform as well as the parallel purposes of this activity: return of products, processing of information necessary for delivery, improvement of the user experience by retaining certain settings or preferences, after obtaining the user’s consent, price changes, product/service features, stock changes, promotions, billing.
The categories of persons targeted are: current/potential customers or visitors to the website.
The ways in which data subjects are informed of their rights are:
- Terms and conditions of use of the platform/online shop;
- On the website in a dedicated section;
- By email following registration on the platform, as well as if the client requests additional information, requests for quotation;
- In the contact form on the website (please attach the document);
Exercising the rights provided for by Law 679 / 2016 (GDPR) is entirely the responsibility of the controller who is also legally obliged to designate a person responsible for processing personal data within the organization. This person will develop a set of technical and organisational measures for securing data processing and is obliged to inform the controller about the nature of the processing processes, types of information and how these processes are carried out within the organisation. The controller has the responsibility and the obligation to ensure that these measures are implemented, that there is no risk of security breaches or leaks of information as well as compliance with the legislation in force regarding data processing and data subjects’ rights.
The following personal data are processed through the online platform:
- name and surname
- phone/ Fax
HOTEL COMPLEX PARC SA does not process special categories of data.
HOTEL COMPLEX PARC SA does not transfer data abroad or to third parties
The processing of personal data has no connection with other record-keeping systems. The actual activity of the company is to take orders initiated by customers through the online platform, to store and process them for invoicing, shipping and delivery of ordered products.
The information entered by the client on the platform is processed and stored strictly in accordance with the purposes for which the client’s consent was given:
- Withdrawal from a concluded contract (withdrawal can be made according to the law, taking into account the conditions under which this contract was originally concluded and the legal provisions agreed upon initially);
The purpose of data collection is to invoice orders, send correspondence and honour orders. Your refusal to provide the data, determines the impossibility of placing your order on this site. and processing it as required, and the impossibility of fulfilling the purpose.
According to Law no. 679/2016 (GDPR), the user benefits from the right of access, the right to be forgotten, the right to portability of information and personal data, the right to intervene on the data, the right not to be subject to an individual decision and the right to take legal action. He/she also has the right to object to the processing of personal data and may request the deletion of the data. In order to exercise these rights, the user may send a written request, dated and signed, to the e-mail address email@example.com. Also, if any of the user data is incorrect, please let us know so that we can make the necessary corrections.