Privacy Policy

INTRODUCTION

Through this Privacy Policy we want to provide you with all the necessary information regarding the processing of personal data, which we collect directly or indirectly from you when you interact with us.

We are committed to ensuring the confidentiality and protection of your personal data and to be fully transparent about the situations, purposes and means in which we carry out our processing activities.                

When we request personal data from you, we shall in particular ensure that it is appropriate, relevant and limited to what is necessary in relation to the specified, explicit and legitimate purposes.

We pay special attention to your rights and respond to your requests when you need additional information.

Within this Privacy Policy you can access the Privacy Notices, where we detail the main processing activities.

WHO ARE WE AND HOW CAN YOU CONTACT US?

We are Therme Nord București S.R.L. (“Therme”, “We”), Romanian legal entity, registered at the Trade Register Sibiu, under number J32/55/2012, CUI RO 28472550.

When we act as data controller, deciding the purposes and means of personal data processing, we have the responsibility to fulfill all legal requirements regarding the processing of your personal data.

Our registered office is located in Romania, Sibiu, Victor Hugo street, no. 2, building C1, office 1, 1st  floor.

We operate from our working point, in Balotești, Calea Bucureşti, no. 1K, Ilfov County, Romania (Therme Bucureşti Complex).

We have a data protection team and we have appointed a Data Protection Officer, who carries out their activity at the address of the working point and can be contacted by email, at the email address: dataprotection@therme.ro

You can contact us by mail, courier and by email at the mentioned addresses.

TO WHOM IS ADDRESSED THIS PRIVACY POLICY?

This Privacy Policy applies to you as a visitor, customer, partner, user, employee, representant,  participant in various competitions, events, winners, etc., whenever you:

  • Visit and use our services, within the Therme București complex as well as in surrounding areas such as parking, offices, transit areas, technical storage spaces etc.;
  • Access and use our website and its related subdomains;
  • Install and use My Therme mobile applications;
  • Interact with us through online communication channels such as website, email, social media, or other means;
  • Attend to Therme's or Therme Group's marketing events.
  • You are a service provider, client or other type of legal entity with whom Therme has contractual relations;
  • Other situations mentioned in the Privacy Notices.

In the same context, we may also refer to you as the "data subject".

WHAT IS THE SOURCE OF PERSONAL DATA?

We obtain the data we process both directly and indirectly from you when you interact with us according to the information set out in this Privacy Policy.

When you send us data that is not yours, in situations such as registering the contact details of another person, using another person’s credit card when you make payments, providing personal data to the children you accompany and for whom you are not legally liable, when submitting  resumes of another person or similar situations, please inform the respective persons and their guardians accordingly by making our Privacy Policy known before using them in relation to us.

WHAT IS THE LEGAL FRAMEWORK UNDER WHICH WE PROCESS YOUR PERSONAL DATA?

We process your personal data in accordance with national and European provisions on the protection of personal data, in particular:

  • Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR);
  • Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sectors (Directive on privacy and electronic communications)
  • Law no. 190/2018 on the measures for the application of Regulation (EU) 2016/679;

For the purposes of this Privacy Policy, we will collectively refer to them as “data protection laws” .

We shall also consider:

  • Recommendations of data protection authorities on the processing of personal data or other authorized institutions;
  • Any other national and european legal regulations that we are required to comply with regarding the processing of your data.

WHY DO WE PROCESS YOUR DATA?

The purposes for which we may process your personal data are varied.

We generally process your personal data when necessary to provide you with Therme’s products and services, under a contract or to fulfill our legal obligations arising from our activity (e.g. tax obligations, storage and archiving of supporting documents, communication with authorities etc.), or when it is necessary to defend our legitimate interest.

Legitimate interest may refer to:

  • Ensuring people’s health and safety;
  • Preventing and combating crime and fraud;
  • Ensuring the security and protection of people, Therme’s goods and values;
  • Preventing financial losses;
  • Recovery of damages;
  • The defense of rights in court;
  • Security of information networks;
  • Providing and improving Therme’s products and services;
  • Optimising Therme's internal processes, taking into account the specific nature of the Business.
  • To go through the necessary internal and legal procedures regarding the management of incidents / accidents;
  • Taking the necessary steps to identify you, when necessary;
  • Protecting Therme’s reputation;
  • Developing reports and analysis resulting from our work;
  • Use of cookies necessary for the functionality of the website;
  • Promoting Therme’s products and services;
  • Promoting Therme's and Therme Group's events and marketing campaigns;
  • Promoting Therme’s image and the group to which it belongs;
  • Ensuring the compliance of visitors with regard to the observance of the Therme Internal order Regulations;
  • Solving the requests you submit to us;
  • Providing technical support;
  • Other similar situations.

The processing of your data by us or other third parties for the above-mentioned situations will always be carried out on the basis of a rigorous analysis that results in the need for the processing and that it will not unduly affect your fundamental rights and freedoms.

We shall also use consent as a legal basis whenever we process your data based on your prior permission in various situations (Therme newsletter sign up, participation in survey, etc.). When we rely on this legal basis, you always have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.

Please refer to our Privacy Notices, in order to obtain detailed information on the legal grounds and purposes that are used in connection with the processing of your data.

WHO ELSE HAS ACCESS TO YOUR PERSONAL DATA?

Your data may also be disclosed to other third parties such as IT service providers, payment processors, financial-accounting service providers, marketing service providers, safety and health service providers, application and web tool providers, website and mobile app developers, market research providers, recruitment service providers, consultants, lawyers, legal advisors, auditors, or other similar entities.

We only disclose your data to them when necessary, taking into account the risks and applying appropriate safeguards.

Some of the categories of recipients mentioned may process your data for their own purposes or in accordance with the legal requirements imposed on them by the authorities. In this context, they are also data controllers for the processing activities carried out, becoming directly responsible for compliance with data protection laws.

Others will process personal data only at our request and for our purposes, based on prior instructions. They are considered our processors for the processing of your personal data.

We only use trusted processors, who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing of your data complies with the requirements of data protection law. The processing of your personal data by our processors is always governed by a contract or other legal act before we disclose their data.

THE LIST OF THERME’S MAIN PROCESSORS:  [CLICK HERE]

It is also possible to transmit your data to authorities or certain government institutions, only when we are required by law to do so or when we have a well-founded legitimate interests.

In specific situations, some information about you (pseudonymized, anonymised or directly identifiable), usually statistical and marketing, may be shared globally to the Group that the Therms is part of.

The global Therme Group's Privacy Policy can be found here: www.thermegroup.com 

INTERNATIONAL DATA TRANSFER

As a rule, the data we collect about you is processed in Romania, but also within the European Union, where the same legal provisions apply in the field of data protection.

Your data may also be transferred to countries that offer an adequate level of protection (e.g. the United Kingdom of Great Britain and Northern Ireland), as decided by the European Commission on the appropriate level. The full list of countries can be consulted here. In other words, transfers to these destinations are considered as safe as transfers between EU Member countries. Transfers made under these conditions do not require special authorizations.

We may also transfer your personal data to third countries such as the United States of America or international organisations that do not provide an adequate level of data protection, in accordance with the requirements of the European Commission. In this situation, we will take all appropriate safeguards to protect your data and to ensure that you have effective remedies to exercise your rights.

In this context, we shall ensure that there are Standard Contractual Clauses, approved by the European Commission, which will be signed with companies in these third countries, as well as contracts on data processing if these companies are our processors.

Where we cannot find other appropriate safeguards, we will only transfer data to these destinations under the following conditions:

  • We ask for your consent in advance, after informing you of the possible risks;
  • We transfer data only at your request, for the performance of a contract or the application of necessary pre-contractual measures in relation to us.
  • The transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and another natural or legal person;
  • The transfer is necessary for important reasons of public interest;
  • The transfer is necessary for the establishment, exercise or defense of a right in court;
  • The transfer is necessary to protect your vital interests or those of others when you are not in the physical or legal capacity to express your consent;
  • Other situations provided by law;

We will ensure that any international transfer of personal data is managed with particular care to protect your rights and freedoms.

HOW DO WE PROTECT YOUR PERSONAL DATA?

We make continuous efforts to protect your data throughout its lifetime, to prevent, eliminate or reduce the risks posed by processing activities.

Our data protection team is backed up by cybersecurity experts, legal advisors or specialists in various fileds related to the business and also by the top management,  who together define and implement appropriate strategies, policies and procedures for the protection of your personal data.

Our privacy and data protection program ensures that all necessary measures are effectively addressed to meet legal requirements by implementing policies and procedures adapted to the specifics of our activity.

We regularly train our employees in relation to their field of activity and the risk posed by the activity they carry out.

Through the information security program we promote in particular techniques such as pseudonymisation and encryption of personal data.

We take into account the risks and impact that a potential data breach may have on your rights and freedoms, so we have implemented procedures that help prevent, remedy or mitigate the impact on the privacy of your personal data in the event of such a risk materializes.

We carry out data protection impact assessments whenever a particular processing activity may pose a risk to your fundamental rights and freedoms before we start processing your data.

We impose special conditions on all our processors before transmitting your personal data to them in accordance with data protection laws.

We ensure data protection from the moment of design and by default for the entire duration of processing when we implement new IT systems or new processing activities.

We have appointed a data protection team that includes privacy specialists as well as a data protection officer, who together monitors the compliance of our personal data processing activities in accordance with legal requirements.

We keep records of processing activities that fall under our responsibility as a data controller.

We have limited the retention of personal data in accordance with legal requirements and our legitimate interests and we ensure their safe destruction.

We regularly audit IT systems in order to improve security measures ensuring an adequate level of security, in line with the technological development of the market.

WHAT ARE YOUR RIGHTS?

Under the conditions set out in the data protection laws, as a data subject, you have the following rights:

  • Right to be informed, right to receive details of the processing of your personal data, as described in the Privacy Policy and the Privacy Notices;
  • Right of access, the right to obtain confirmation from us regarding the processing of personal data, as well as details of the processing activities;
  • Right to rectification, the right to obtain the correction of inaccurate/unjustified personal data, as well as the completion of incomplete data;
  • Right to erasure without undue delay, („right to be forgotten”), under the conditions provided by the data protection laws;
  • Right to restriction of processing, to the extent that you contest the accuracy of the data, the processing is unlawful and you oppose to the erasure, requesting instead the restriction of its use, or when we no longer have any purpose to process your data, but you request it for the establishment, exercise or defence of a right in court or when you object to the processing of data for a period enabling us to confirm our legitimate interests;
  • Right to data portability to another controller, under the conditions stipulated by law;
  • Right to object to the processing of personal data, at any time, free of charge and without any justification, when the data is processed for direct marketing purposes or when the processing is based on one of our legitimate interests invoked, unless we can demonstrate that there are legitimate reasons justifying that processing;
  • Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on you or similarly affects you to a significant extent, with the exceptions set out in data protection laws;
  • Right to withdraw your consent, at any time;
  • Right to lodge a complaint with a supervisory authority, if you consider that the processing of your personal data infringes data protection laws.

HOW CAN YOU EXERCISE YOUR RIGHTS?

If you wish to exercise any of your rights related to the processing of your personal data, to obtain clarification or further information, please contact our Data Protection Officer, by email, at dataprotection@therme.ro.

We will comply with your request within 30 calendar days from the date of receipt of your request. Given the complexity and number of requests, we can extend this period by another two months. We will always inform you in advance of this extension, together with the reason for the delay.

Depending on the nature of the request, where the information you submit to us is insufficient to identify you, investigate and resolve your request, we may ask you for additional information.

Before responding to any request, we will always ensure that we have sufficient data to ensure that you are the owner of the data. If we are unable to identify you, we may refuse to provide you with the requested information that may not belong to you.

We may also refuse to comply with your requests if you ask us for the same information repeatedly, excessively or without legal basis.

PRIVACY NOTICES:

To obtain details of the main processing activities carried out by us, please visit the Privacy Notices below:

PRIVACY NOTICE ON THE USE OF COOKIES OR SIMILAR TECHNOLOGIES

PRIVACY NOTICE ON THE PURCHASE OF THERME PRODUCTS AND SERVICES

PRIVACY NOTICE ON THE USE OF THE  ACCESS BRACELETS

PRIVACY NOTICE ON MARKETING NOTIFICATIONS

PRIVACY NOTICE ON THE REGISTRATION AND USE OF THE MYTHERME ACCOUNT

PRIVACY NOTICE ON THE REGISTRATION AND USE OF THE MYTHERME CORPORATE ACCOUNT

PRIVACY NOTICE ON THE INSTALLATION AND USE OF MYTHERME MOBILE APPLICATIONS

PRIVACY NOTICE ON MANAGING YOUR REQUESTS

PRIVACY NOTICE ON MARKETING EVENTS

PRIVACY NOTICE ON SURVEYS

PRIVACY NOTICE ON THE USE OF THE THERME’S WIFI NETWORK

PRIVACY NOTICE ON FILLING/SUBMITTING IN THE VARIOUS FORMS/REQUESTS

PRIVACY NOTICE ON VIDEO SURVEILLANCE

PRIVACY NOTICE ON PROVIDING FIRST AID ASSISTANCE

PRIVACY NOTICE ON THE SELECTION AND RECRUITMENT OF CANDIDATES

PRIVACY NOTICE ON THE PROCESSING OF DATA OF CONTRACTUAL PARTNERS

If you consider that the information presented in the Privacy Notices is not sufficient or you do not find the information you are looking for, please contact us.

OTHER DATA CONTROLLERS THAT MAY PROCESS YOUR PERSONAL DATA

Within the Therme București complex, your data can also be processed by other data controllers, that you may interact with, in various situations:

  • Taxi companies, when you make taxi orders using their ordering system, located in the reception area.
  • Press, when we allow them access to conduct interviews for journalistic purposes.
  • Contract partners to whom we allow access to conduct events, TV productions, product and service promotions for their own purposes.
  • Any other natural or legal person who carries out professional activities, deciding the purposes and means of processing in relation to your personal data.
  • Any other natural or legal person who processes data for their own purposes within Therme București with or without authorization.

One of the controllers operating inside Therme, that worth mentioning is Phyxd, Inc. (Phy), a US-based company. Phy is providing services for Therme’s visitors as an external and independent service provider, in specific locations, authorised by Therme.

Phyxd, Inc and its subsidiary  Phy Romania SRL, process personal data for operating the Phy solution placed inside Therme Bucuresti, offering the visitors the chance to access its services.

The Phy Solution is a three-dimensional volumetric computer vision technology, that assesses postural patterns to help inform users and their health coaches and professionals regarding posture and musculo-skeletal issues and offers options for exercise programs to optimize human movement and performance.

Phy is the sole controller and is accountable for processing data in accordance with Romanian and EU privacy laws.

In relation to the Phy solution, Therme is not a controller nor a joint controller or processor.

For any privacy matters related to the Phy solution, please contact Phy at: privacy@phy.health

You can also check their privacy policy at:

https://www.phy.health/privacy-policy   

https://www.phy.health/notice-of-privacy-practices

The data controllers mentioned above have full responsibility to fulfill all legal obligations under data protection laws.

This Privacy Policy does not concern data controllers other than Therme.

UPDATES OF THE PRIVACY POLICY

We will update the Privacy Policy to the extent necessary to reflect any changes in the processing of your personal data in relation to our processing activities and legislative changes that may occur in data protection laws.

Please visit this page periodically to make sure you always have up-to-date information.

Last update:  April 2024