PROTECTION OF PERSONAL DATA AT SC Z TOUR SRL
The protection of personal data at SC Z TOUR SRL has as it is central and constant concern that of ensuring the clients, collaborators, partners and employees of SC Z TOUR SRL, as well as any other types of data subjects, fundamental human rights and freedoms, in the spirit The Charter of Fundamental Rights of the European Union, the Universal Declaration of Human Rights and the Constitution of Romania.
How Protection of Personal Data is a fundamental right SC Z Tour SRL assumes the moral and legal obligation to ensure this right to all persons who entrust it with personal data. In order to ensure the security of this data to the people who entrust us with their personal data, SC Z Tour SRL implements a modern, flexible and secure personal data collection, processing and storage system, in accordance with European, Romanian and international legislation in the field personal data protection.
This Privacy Policy includes:
1. Presentation of SC Z Tour SRL as a personal data operator
2. What types of personal data does Z Tour SRL collect?
3. What are the categories of persons whose personal data is processed by SC Z Tour SRL (data subjects)?
4. Does SC Z Tour SRL process personal data of minors?
5. What is the purpose of personal data processing by SC Z Tour SRL?
6. What is the legal basis of the processing done by SC Z Tour SRL?
7. Who are the recipients and third parties to whom SC Z Tour SRL can transfer personal data?
8. How long will your personal data be kept?
9. Does SC Z Tour SRL transfer personal data outside of Romania?
10. Does SC Z Tour SRL have security measures regarding the protection of personal data processed through computer systems?
11. What are the rights of the persons who entrust us with their personal data?
12. What is the way to exercise rights, obtain advice and file a complaint?
1. Presentation of SC Z Tour SRL as a personal data operator
SC Z Tour SRL is a tourism company registered at the Trade Registry Office in Romania with registration number at the Trade Registry: J12/283/2002, with tourism license 1349 from 03/05/2019.
SC Z Tour SRL has legal personality and is apolitical. It was established in 2002. The registered office of SC Z Tour SRL is in Romania, Cluj-Napoca, Anatole France st., No. 62, postal code 400463.
SC Z Tour SRL organizes holidays, circuits, cruises, city breaks, ski holidays, spa & balneo in Romania and around the world, group or individual offers, for normal or legal clients. In order to facilitate stays and trips, SC Z Tour SRL also sells plane tickets and travel and life insurance policies. In addition to activities that involve the processing of personal data, SC Z Tour SRL also sells home insurance policies as well as car civil liability insurance (RCA). SC Z Tour SRL also has the quality of a specialist practice partner for students.
The structure of SC Tour SRL includes: 2 work points where activities specific to the authorized objects of activity are carried out: Activities of tour operators, other forms of education, insurances. They are located in Cluj-Napoca, Anatole France st., No. 62, postal code 400463 and in Cluj-Napoca, Str. Al Vaida Voievod No. 53b, Iulius Mall, Ground Floor 400436.
SC Z Tour SRL is a personal data operator (Data Controller) , according to the definition of art. 4 (7) of the GDPR and performs operations or sets of operations, through which it processes personal data. Depending on the purpose of the processing, SC Z Tour SRL informs the persons concerned about the types of personal data processed, the purpose of the processing and the legal grounds on which it processes, stores and transmits personal data. Information on the processing of personal data by category of persons concerned is available at the workplaces of SC Z Tour SRL or is transmitted through the company's electronic messaging service.
In order to ensure the protection of personal data, SC Z Tour SRL has at the center of its concerns compliance with all principles of personal data processing according to art 5 of the GDPR:
(a) processed lawfully, fairly and transparently to the data subject ("legality, fairness and transparency"). Explanation: Information on the data protection ensures legality, fairness and transparency. This is made available to all data subjects in online format - e-mail (prior to the provision of personal data) and in writing at work points;
(b) collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with these purposes. Explanation: The purposes for which data protection are processed, the means of processing, the legal grounds, the retention period are explicitly stated in the Information regarding data protection;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"). Explanation: The documents completed by the persons concerned will contain only the data necessary for the proper performance of the specific activities: concluding a tourism contract/order slip, issuing a tax invoice, etc. No data will be requested that are not necessary or that are not included in the legal bases of the specific activities;
d) accurate and, if necessary, updated; all necessary steps must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is deleted or rectified without delay ("accuracy"). Explanation: the entire contest will be offered for the correction and completion without delay of the data provided by the data subjects at their request or on their own initiative. The data will be deleted as soon as the law requires it - according to the retention period included in the Archive Nomenclature of SC Z Tour SRL confirmed by the Cluj County Service of the National Archives;
(e) kept in a form that allows the identification of data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed ("storage limitations"); Explanation: the data will be kept in computer systems and in writing in formats that allow the identification of individuals without exceeding the purpose of processing according to the period established by the Archival Nomenclature. Adequate security measures will be in place throughout the period;
(f) processed in a way that ensures adequate security of the DCP, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures ("integrity and confidentiality"). Explanation: All physical, information, personnel, document, IT and communications security measures that each employee is obliged to adopt according to national and SC Z Tour SRL regulations will be respected.
In order to comply with the principles presented above, SC Z Tour has instituted technical and organizational measures to ensure the protection of personal data. In ensuring compliance with the GDPR, SC Z Tour SRL places at the center of its concerns the protection of the rights of the data subjects who entrust us with their personal data.
2. What types of personal data does SC Z Tour SRL collect?
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR) specifies in art 4 point 1 that: "personal data" means any information regarding an identified or identifiable natural person ("the person concerned"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more many specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity".
The personal data collected by SC Z TOUR SRL is necessary to fulfill the contractual obligations and carry out the specific activities that SC Z TOUR SRL carries out. The request for these categories of personal data is based on the need to comply with legal provisions by SC Z Tour SRL or the development of contracts/requests for offers in favor of customers. In addition to the data requested as a result of a legal obligation to SC Z Tour SRL, we request certain personal data based on the informed consent/agreement of the customers in order to carry out promotional campaigns or offers (marketing).
In the Information regarding the processing of personal data, as well as in the Informed Consents, the types of data, the acts/documents on which they are registered, the purposes of using these data, the legal grounds and the retention periods are presented in detail. These Informations and Consents are made by categories of data subjects.
Below are generically presented the types of personal data that SC Z TOUR SRL requests in general from the persons concerned. They differ according to the category of persons concerned (employees/customers/collaborators/suppliers, etc.):
- identification data: surname, first name, birth name of the person (where applicable), CNP/ID personal number, series and number of the identity document, of the passport, home address, mailing address, e-mail, telephone (landline, fax , mobile), online identifier, etc.: they are necessary for employment, conclusion of a contract, occupational health and safety, correspondence, etc.;
- financial data: accounts opened at financial institutions, certificates, etc.; they are used for: payments of financial rights, payments of tourist contracts, other payments;
- data gained from audio-video recordings of the physiognomy of the persons concerned entering the premises of SC Z TOUR SRL: they are necessary to fulfill the conditions regarding the protection of objectives, goods and values as well as the protection of persons (according to Law (ROU) 333/2003, HG 301/2003 );
- electronic identification addresses: IP addresses, identifiers of local internet networks or hubs, geographic location, source of reference (from where the SC Z Tour SRL website page was entered – www.ztour-travel.ro) ; Statistical activity; Protection and security against intruders or accidental or intentional digital attacks.
See the cookie policy of Z TOUR SRL (https://www.ztour-travel.ro/CookiePolicy?lang=en );
3. What are the categories of persons/data subjects whose personal data is processed by SC Z Tour SRL (data subjects)?
- tourists;
- collaborators;
- employees;
- service providers;
- contractors: suppliers of goods and services, bidders;
- representatives of the beneficiaries of SC Z TOUR SRL services (representatives of legal entities);
- visitors: people recorded by video surveillance cameras;
- visitors of the website www.ztour-travel.ro;
- persons who address requests or other petitions;
- participants in events organized by SC Z Tour SRL (conferences, tourism fairs, etc.);
- students carrying out specialized practice at SC Z Tour SRL;
- people carrying out internship activities;
- persons carrying out verification, guidance and control activities at SC Z Tour SRL;
- people who take out an insurance policy.
4. Does SC Z Tour SRL process personal data of minors?
SC Z TOUR SRL does not systematically process personal data of minors. These data are collected by means of the video surveillance system based on the legislation on the guarding and protection of the objectives, goods, persons and values, on the occasion of occasional visits.
We only process personal data of persons under the age of 18 provided by the minor's legal representative. The purpose of this processing is to carry out in optimal conditions the contracted services (tourism and travel services) by the legal representatives of minors.
The SC Z TOUR SRL website does not intentionally collect information of users under the age of 16. If a parent or legal guardian notifies SC Z TOUR SRL regarding the existence of such personal data, SC Z TOUR SRL will take all necessary measures to delete the information. If you believe that information of a person under 16 years of age has been collected through the SC Z TOUR SRL website, please contact us at the e-mail address: office@ztour-travel.ro.
5. What is the purpose of personal data processing by SC Z Tour SRL?
According to art 4 point 2 of the GDPR: Processing refers to any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as: collection, registration, organization , structuring, storing, adapting or modifying, extracting, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, deleting or destroying.
The purpose of processing is closely related to the general and specific mission of SC Z TOUR SRL - according to the objects of activity and the legislation governing the areas of activity of SC Z Tour SRL. Also, the data collected by the video surveillance system is necessary for the protection of objectives, goods and values as well as the protection of people.
Mainly the processing of personal data is carried out for all the purposes provided for by Romanian and/or international legislation in the field of tourism or by its subsequent legislation.
Among the purposes of the processing we list: carrying out the activity of advising clients, carrying out the bidding activity, concluding travel contracts (order form), carrying out human resources activities (for employees), concluding and carrying out commercial contracts with legal persons, carrying out marketing activities , conclusion of insurance policies, participation in courses or specialized practice.
They will be presented in detail in the specific information addressed to both employees and customers. As part of the process of prior information of the data subjects, SC Z TOUR SRL explicitly presents the purposes of the processing by categories of data subjects.
6. What is the legal basis of the processing done by SC Z Tour SRL?
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR).
• Law no. 190/2018 on measures to implement GDPR and repeal Directive 95/46/EC. (Legea nr. 190/2018 privind măsuri de punere în aplicare a GDPR și de abrogare a Directivei 95/46/CE).
• ORDINANCE no. 2 of August 2, 2018 regarding travel service packages and associated travel services, as well as for the amendment of some normative acts (ORDONANȚA nr. 2 din 2 august 2018 privind pachetele de servicii de călătorie și serviciile de călătorie asociate, precum și pentru modificarea unor acte normative)
Other legal frameworks that require SC Z TOUR SRL to process personal data are related to the general operation of SC Z TOUR SRL (legislation in the field of tourism, commercial companies, labor legislation, the tax code, payroll, occupational health and safety, security and protection , IT security, etc.):
• LAW No. 31 of November 16, 1990 regarding commercial companies (republished) (LEGEA Nr. 31 din 16 noiembrie 1990 privind societăţile comerciale (republicată)).
• Law no. 333/2003 regarding the protection of objectives, assets, values and the protection of persons (Legea nr. 333/2003 privind paza obiectivelor, bunurilor, valorilor şi protecţia persoanelor).
• HG no. 301/2012 for the approval of the Methodological Norms for the application of Law no. 333/2003 regarding the protection of objectives, goods, values and the protection of persons (HG nr. 301/2012 pentru aprobarea Normelor metodologice de aplicare a Legii nr. 333/2003 privind paza obiectivelor, bunurilor, valorilor si protectia persoanelor)
• Accounting LAW no. 82 of 24 December 1991 (republished) (LEGEA contabilității nr. 82 din 24 decembrie 1991 (republicată)).
• Law no. 227/2015 regarding the Fiscal Code updated by Law no. 131 of July 15, 2020 (Legea nr. 227/2015 privind Codul fiscal actualizat prin Legea nr. 131 din 15 iulie 2020)
• LAW no. 53 of January 24, 2003 LABOR CODE republished (LEGEA nr. 53 din 24 ianuarie 2003 CODUL MUNCII republicată)
• Law 307/12 July 2006 on fire protection, text in force as of March 25, 2016 (Legea 307/12 iulie 2006 privind apărarea împotriva incendiilor, text în vigoare începând cu data de 25 martie 2016)
• Law 481/2004 (*republished*) - on civil protection*) (Legea 481/2004 (*republicată*) - privind protecția civilă*))
• Law 319/2006 – occupational health and safety (Legea 319/2006 – securitatea şi sănătatea în muncă).
• EMERGENCY ORDINANCE no. 97 of July 14, 2005 (**republished**) regarding the record, domicile, residence and identity documents of Romanian citizens**), Published in the OFFICIAL GAZETTE no. 719 of October 12, 2011 (ORDONANȚĂ DE URGENȚĂ nr. 97 din 14 iulie 2005 (**republicată**) privind evidența, domiciliul, reședința și actele de identitate ale cetățenilor români**)_
• Regulation (EU) 2015/759 of the European Parliament and of the Council of April 29, 2015 amending Regulation (EC) no. 223/2009 and the MEN - National Institute of Statistics (INS) Convention regarding data processing for the production of official education and professional training statistics; (Regulamentul (UE) 2015/759 al Parlamentului European şi al Consiliului din 29 aprilie 2015 de modificare a Regulamentului (CE) nr. 223/2009 şi a Convenţiei MEN - Institutul Naţional de Statistică (INS) privind prelucrarea datelor în vederea producerii statisticilor oficiale de educaţie şi formare profesională).
• Law no. 365/2002 on electronic commerce, republished, with subsequent changes. (Legea nr. 365/2002 privind comerţul electronic, republicată, cu modificări ulterioar).
• BNR Regulation no. 6/11.10.2006 - Regulation of the Romanian National Bank (BNR) no. 6/11.10.2006 - regarding the issuance and use of electronic payment instruments and the relations between participants in transactions with these instruments; (Regulamentul BNR nr. 6/11.10.2006 - Regulamentul Băncii Naționale Române (BNR) nr. 6/11.10.2006 - privind emiterea și utilizarea instrumentelor de plată electronică și relațile dintre participanții la tranzacțiile cu aceste instrumente).
• Law no. 129/2019 - for the prevention and combating of money laundering and the financing of terrorism, as well as for the modification and completion of some normative acts; (Legea nr. 129/2019 - pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative).
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of confidentiality in the public communications sector (Directive on privacy and electronic communications); Directiva 2002/58/CE a Parlamentului European și a Consiliului din 12 iulie 2002 privind prelucrarea datelor personale și protejarea confidențialității în sectorul comunicațiilor publice (Directiva asupra confidențialității și comunicațiilor electronice)).
• Law no. 506 of November 17, 2004 on the processing of personal data and the protection of privacy in the electronic communications sector. (Legea nr. 506 din 17 noiembrie 2004 privind prelucrarea datelor cu caracter personal și protecția vieții private în sectorul comunicațiilor electronice).
In addition to the legal grounds deriving from the obligation for SC Z TOUR SRL to comply with the laws in force, SC Z TOUR SRL can use as legal justification for the processing of personal data the Agreement or Consent of the persons concerned if the processing is based on art 6 point 1 lit. a of the GDPR: the data subject has given his consent to the processing of his personal data for one or more specific purposes.
7. Who are the recipients and third parties to whom SC Z Tour SRL can transfer personal data?
The recipients and third parties to whom SC Z TOUR SRL can transfer certain personal data are public authorities or service providers who request this data, in accordance with the laws that govern their activity, more precisely: the Ministry of Public Finance, the Court of Accounts of Romania, courier/postal companies (for correspondence), travel service providers, air ticket providers, insurance brokers, banks with which employees and customers have contracts (for intermediating card payment), the secure online payment gateway ( PayU), IT service providers (maintenance, software development, hosting, site administration, platform administration: SC IT ECOSERV SRL, TI Infotech Pvt. Ltd., Tekvo SRL, Mailagent), audit firms, judicial bodies from Romania and other countries (EU, recognized by the EU as complying with personal data protection rules or that have personal data protection agreements with Romania), as well as courts, prosecutors' offices, central and local public authorities in Romania (e.g.: MAI, ANAF, ANPC, Competition Council, National Archives), police bodies; Cyber Security Incident Investigation and Support Institutions.
In the transfer process, SC Z TOUR SRL ensures compliance with all principles of personal data processing according to art. 5 of the GDPR. These transfers are strictly limited to purpose.
SC Z TOUR SRL has taken measures so that, in the process of transferring personal data, their full security is ensured, in accordance with the GDPR. At the same time, SC Z TOUR SRL has concluded personal data protection agreements with the legal entities with which it runs contracts and within which access to certain personal data is provided.
8. How long will your personal data be kept?
Personal data - which have been or will be requested - will be provided directly by the data subject or by an authorized person and will be processed within a period of time provided for in European and National legislation, in accordance with the GDPR and the other bases laws that require this. For each category of personal data, their retention period is provided. The retention periods correspond to the terms written in the Archival Nomenclature of Sc Z Tour SRL confirmed by the County Service of the Cluj National Archives. This is specified in the Privacy Notice.
The periods for which documents containing personal data are kept are:
- 50 years - personnel documents (job description, etc.);
- 30 years - entry-exit register
- 15 years - individual PSI, OSH, other training sheets
- 10 years - contracts for the sale of travel services; for accounting registers and supporting documents for financial accounting records;
- 5 years - for a series of purchase and inventory documents (receipts, delivery slips, receipts, purchase slips, accounts, imputation decisions, etc.), requests and personal certificates;
- 2 years – order forms (pre-contractual information), attendance status.
9. Does SC Z Tour SRL transfer personal data outside of Romania?
Data transfer can be done either on the basis of a decision on the adequacy of the level of protection issued by the European Commission based on art. 45 of the GDPR certifying that the third country meets the respective criteria, either on the basis of adequate guarantees, which can be provided by standard data protection clauses adopted by the Romanian National Authority for the Protection of Personal Data (ANSPDCP) and approved by the Commission in accordance with the examination procedure.
Other transfers are protected by clauses included in data protection agreements concluded between SC Z TOUR SRL and the entity to which the data is transferred. These agreements have clauses that include enforceable and effective rights for data subjects.
In order to fulfill the purposes regarding the processing of personal data SC Z TOUR SRL transfers some categories of personal data outside Romania or the EU/EEA states and to other states based on appropriate guarantees such as standard contractual clauses or administrative agreements with to which SC Z TOUR SRL is a party.
The purpose of these transfers is to facilitate the performance of tourist contracts and satisfy the needs of SC Z TOUR SRL customers/tourists.
10. Does SC Z Tour SRL have security measures regarding the protection of personal data processed through computer systems?
SC Z TOUR SRL has instituted technical and organizational measures to ensure the security of personal data both on the SC Z TOUR SRL website www.ztour-travel.ro, on the electronic platforms for booking tourist and travel services and within the company. Security measures are designed to maintain an appropriate level of data confidentiality, integrity and availability. Cyber/IT security systems are implemented.
SC Z TOUR SRL has appropriate measures to ensure that the data of users of the website www.ztour-travel.ro are protected against unauthorized access, use or modification, illegal or accidental destruction and accidental loss.
SC Z TOUR SRL implements a work procedure with electronic messaging .......@ztour-travel.ro, all employees using this intra- and extra-organizational communication system. The electronic messaging service includes measures to ensure the confidentiality, integrity, non-repudiation and availability of the messages sent. However, we recommend that any user be aware that there is always a risk of transmitting information over the Internet and manage this risk by adopting appropriate behavior.
The staff of SC Z Tour SRL is trained in the protection of personal data, through collective training sessions and individual counseling upon request or ordered by the management of the company.
11. What are the rights of the persons who entrust us with their personal data?
● the right to be informed (art. 13 and 14 of the GDPR) - by SC Z TOUR SRL about the type, purpose, and legal grounds of the processing;
● the right to access data (art. 15 of the GDPR) - the person has the right to obtain confirmation from SC Z TOUR SRL if they process personal data concerning them;
● the right to rectification (art. 16 of the GDPR) - of personal data without unjustified delay - the data subject may request SC Z Tour SRL to correct the data provided to SC Z Tour SRL;
● the right to data deletion ("the right to be forgotten") - (art. 17 of the GDPR) - to obtain from SC Z TOUR SRL the deletion of personal data concerning you, without unjustified delay, and SC Z TOUR SRL has the obligation to to delete personal data without unjustified delay;
● the right to restrict processing (art. 18 of the GDPR) - when you consider that the personal data are not accurate, or you consider that the processing is illegal, or SC Z Tour SRL no longer needs these data;
● the right to notification regarding the rectification or deletion of personal data or the restriction of processing (art. 19 of the GDPR);
● the right to data portability (art. 20 of the GDPR) - you have the right to receive the personal data concerning you that you have provided to Z Tour SRL in a structured, commonly used and automatically readable format to be able to transmit them to another operator;
● the right to object (art. 21 of the GDPR) - you can object to the processing pursuant to article 6 paragraph (1) letter (e) or (f) or article 6 paragraph (1) of personal data concerning you, including the creation of profiles based on those provisions;
● the right not to be subject to a decision based exclusively on automatic processing - including the creation of profiles (art. 22) - which produces legal effects that concern you or similarly affect you to a significant extent;
● the right to submit a complaint to the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) (art. 15/GDPR - see chapter 12).
12. How to exercise rights and file a complaint
To exercise any of your rights presented in chapter 11, we invite you to contact the Personal Data Protection Officer (DPO) of SC Z Tour SRL at the e-mail address office@ztour-travel.ro, landline phone 0040 -364.643. 000 tel. Mobile 0040-744.559.348, or directly at the headquarters of SC Z Tour SRL (Cluj-Napoca, str. Anatole France no. 62).
As part of these requests, please do not disclose sensitive personal data (information about religious beliefs, ethnic or racial origin or any other information related to health or trade union membership) when you contact us.
SC Z Tour SRL, through the DPO, responds to the requests of the data subjects without unjustified delay or gives reasons for the delay to the data subject and, if it does not intend to comply with that request, reasons for this refusal. If the data subject submits a request in electronic format, the information is provided in electronic format where possible, unless the data subject requests a different format.
If requests from a data subject are manifestly unfounded or excessive, in particular due to their repetitive nature, the operator (SC Z Tour SRL) may:
- either charge a reasonable fee taking into account the administrative costs for providing the information or communication or for taking the requested measures;
- or refuse to comply with the request.
In these cases, the operator (SC Z Tour SRL) is responsible for demonstrating the manifestly unfounded or excessive nature of the request.
Z TOUR SRL also has the responsibility to take all reasonable steps to verify the identity of a data subject requesting access to data, especially in the context of online services and online identifiers.
If the petitioner addressed SC Z Tour SRL for the exercise of the rights recognized by the GDPR and no response was received within one month after receiving the request (exceptionally, the period can be extended by two months, with the observance of certain obligations by the operator ) or the petitioner is dissatisfied with the answer received, a complaint can be made to the National Supervisory Authority for the Processing of Personal Data accompanied by evidence. See the approved Complaints Resolution Procedure Decision no. 133/2018. anspdcp@dataprotection.ro or https://www.dataprotection.ro/?page=Plangeri_pagina_principala