INTRODUCTION
Through this Privacy Policy we want to provide you with all the necessary information regarding the processing of personal data, which we collect directly or indirectly from you when you interact with us.
We are committed to ensuring the confidentiality and protection of your personal data and to be fully transparent about the situations, purposes and means in which we carry out our processing activities.
When we request personal data from you, we shall in particular ensure that it is appropriate, relevant and limited to what is necessary in relation to the specified, explicit and legitimate purposes.
We pay special attention to your rights and respond to your requests when you need additional information.
Within this Privacy Policy you can access the Privacy Notices, where we detail the main processing activities.
WHO ARE WE AND HOW CAN YOU CONTACT US?
We are Therme Nord București S.R.L. (“Therme”, “We”), Romanian legal entity, registered at the Trade Register Sibiu, under number J32/55/2012, CUI RO 28472550.
When we act as data controller, deciding the purposes and means of personal data processing, we have the responsibility to fulfill all legal requirements regarding the processing of your personal data.
Our registered office is located in Romania, Sibiu, Victor Hugo street, no. 2, building C1, office 1, 1st floor.
We operate from our working point, in Balotești, Calea Bucureşti, no. 1K, Ilfov County, Romania (Therme Bucureşti Complex).
We have a data protection team and we have appointed a Data Protection Officer, who carries out their activity at the address of the working point and can be contacted by email, at the email address: dataprotection@therme.ro
You can contact us by mail, courier and by email at the mentioned addresses.
TO WHOM IS ADDRESSED THIS PRIVACY POLICY?
This Privacy Policy applies to you as a visitor, customer, partner, user, employee, representant, participant in various competitions, events, winners, etc., whenever you:
In the same context, we may also refer to you as the "data subject".
WHAT IS THE SOURCE OF PERSONAL DATA?
We obtain the data we process both directly and indirectly from you when you interact with us according to the information set out in this Privacy Policy.
When you send us data that is not yours, in situations such as registering the contact details of another person, using another person’s credit card when you make payments, providing personal data to the children you accompany and for whom you are not legally liable, when submitting resumes of another person or similar situations, please inform the respective persons and their guardians accordingly by making our Privacy Policy known before using them in relation to us.
WHAT IS THE LEGAL FRAMEWORK UNDER WHICH WE PROCESS YOUR PERSONAL DATA?
We process your personal data in accordance with national and European provisions on the protection of personal data, in particular:
For the purposes of this Privacy Policy, we will collectively refer to them as “data protection laws” .
We shall also consider:
WHY DO WE PROCESS YOUR DATA?
The purposes for which we may process your personal data are varied.
We generally process your personal data when necessary to provide you with Therme’s products and services, under a contract or to fulfill our legal obligations arising from our activity (e.g. tax obligations, storage and archiving of supporting documents, communication with authorities etc.), or when it is necessary to defend our legitimate interest.
Legitimate interest may refer to:
The processing of your data by us or other third parties for the above-mentioned situations will always be carried out on the basis of a rigorous analysis that results in the need for the processing and that it will not unduly affect your fundamental rights and freedoms.
We shall also use consent as a legal basis whenever we process your data based on your prior permission in various situations (Therme newsletter sign up, participation in survey, etc.). When we rely on this legal basis, you always have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.
Please refer to our Privacy Notices, in order to obtain detailed information on the legal grounds and purposes that are used in connection with the processing of your data.
WHO ELSE HAS ACCESS TO YOUR PERSONAL DATA?
Your data may also be disclosed to other third parties such as IT service providers, payment processors, financial-accounting service providers, marketing service providers, safety and health service providers, application and web tool providers, website and mobile app developers, market research providers, recruitment service providers, consultants, lawyers, legal advisors, auditors, or other similar entities.
We only disclose your data to them when necessary, taking into account the risks and applying appropriate safeguards.
Some of the categories of recipients mentioned may process your data for their own purposes or in accordance with the legal requirements imposed on them by the authorities. In this context, they are also data controllers for the processing activities carried out, becoming directly responsible for compliance with data protection laws.
Others will process personal data only at our request and for our purposes, based on prior instructions. They are considered our processors for the processing of your personal data.
We only use trusted processors, who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing of your data complies with the requirements of data protection law. The processing of your personal data by our processors is always governed by a contract or other legal act before we disclose their data.
THE LIST OF THERME’S MAIN PROCESSORS: [CLICK HERE]
It is also possible to transmit your data to authorities or certain government institutions, only when we are required by law to do so or when we have a well-founded legitimate interests.
In specific situations, some information about you (pseudonymized, anonymised or directly identifiable), usually statistical and marketing, may be shared globally to the Group that the Therms is part of.
The global Therme Group's Privacy Policy can be found here: www.thermegroup.com
INTERNATIONAL DATA TRANSFER
As a rule, the data we collect about you is processed in Romania, but also within the European Union, where the same legal provisions apply in the field of data protection.
Your data may also be transferred to countries that offer an adequate level of protection (e.g. the United Kingdom of Great Britain and Northern Ireland), as decided by the European Commission on the appropriate level. The full list of countries can be consulted here. In other words, transfers to these destinations are considered as safe as transfers between EU Member countries. Transfers made under these conditions do not require special authorizations.
We may also transfer your personal data to third countries such as the United States of America or international organisations that do not provide an adequate level of data protection, in accordance with the requirements of the European Commission. In this situation, we will take all appropriate safeguards to protect your data and to ensure that you have effective remedies to exercise your rights.
In this context, we shall ensure that there are Standard Contractual Clauses, approved by the European Commission, which will be signed with companies in these third countries, as well as contracts on data processing if these companies are our processors.
Where we cannot find other appropriate safeguards, we will only transfer data to these destinations under the following conditions:
We will ensure that any international transfer of personal data is managed with particular care to protect your rights and freedoms.
HOW DO WE PROTECT YOUR PERSONAL DATA?
We make continuous efforts to protect your data throughout its lifetime, to prevent, eliminate or reduce the risks posed by processing activities.
Our data protection team is backed up by cybersecurity experts, legal advisors or specialists in various fileds related to the business and also by the top management, who together define and implement appropriate strategies, policies and procedures for the protection of your personal data.
Our privacy and data protection program ensures that all necessary measures are effectively addressed to meet legal requirements by implementing policies and procedures adapted to the specifics of our activity.
We regularly train our employees in relation to their field of activity and the risk posed by the activity they carry out.
Through the information security program we promote in particular techniques such as pseudonymisation and encryption of personal data.
We take into account the risks and impact that a potential data breach may have on your rights and freedoms, so we have implemented procedures that help prevent, remedy or mitigate the impact on the privacy of your personal data in the event of such a risk materializes.
We carry out data protection impact assessments whenever a particular processing activity may pose a risk to your fundamental rights and freedoms before we start processing your data.
We impose special conditions on all our processors before transmitting your personal data to them in accordance with data protection laws.
We ensure data protection from the moment of design and by default for the entire duration of processing when we implement new IT systems or new processing activities.
We have appointed a data protection team that includes privacy specialists as well as a data protection officer, who together monitors the compliance of our personal data processing activities in accordance with legal requirements.
We keep records of processing activities that fall under our responsibility as a data controller.
We have limited the retention of personal data in accordance with legal requirements and our legitimate interests and we ensure their safe destruction.
We regularly audit IT systems in order to improve security measures ensuring an adequate level of security, in line with the technological development of the market.
WHAT ARE YOUR RIGHTS?
Under the conditions set out in the data protection laws, as a data subject, you have the following rights:
HOW CAN YOU EXERCISE YOUR RIGHTS?
If you wish to exercise any of your rights related to the processing of your personal data, to obtain clarification or further information, please contact our Data Protection Officer, by email, at dataprotection@therme.ro.
We will comply with your request within 30 calendar days from the date of receipt of your request. Given the complexity and number of requests, we can extend this period by another two months. We will always inform you in advance of this extension, together with the reason for the delay.
Depending on the nature of the request, where the information you submit to us is insufficient to identify you, investigate and resolve your request, we may ask you for additional information.
Before responding to any request, we will always ensure that we have sufficient data to ensure that you are the owner of the data. If we are unable to identify you, we may refuse to provide you with the requested information that may not belong to you.
We may also refuse to comply with your requests if you ask us for the same information repeatedly, excessively or without legal basis.
PRIVACY NOTICES:
To obtain details of the main processing activities carried out by us, please visit the Privacy Notices below:
PRIVACY NOTICE ON THE USE OF COOKIES OR SIMILAR TECHNOLOGIES
PRIVACY NOTICE ON THE PURCHASE OF THERME PRODUCTS AND SERVICES
PRIVACY NOTICE ON THE USE OF THE ACCESS BRACELETS
PRIVACY NOTICE ON MARKETING NOTIFICATIONS
PRIVACY NOTICE ON THE REGISTRATION AND USE OF THE MYTHERME ACCOUNT
PRIVACY NOTICE ON THE REGISTRATION AND USE OF THE MYTHERME CORPORATE ACCOUNT
PRIVACY NOTICE ON THE INSTALLATION AND USE OF MYTHERME MOBILE APPLICATIONS
PRIVACY NOTICE ON MANAGING YOUR REQUESTS
PRIVACY NOTICE ON MARKETING EVENTS
PRIVACY NOTICE ON THE USE OF THE THERME’S WIFI NETWORK
PRIVACY NOTICE ON FILLING/SUBMITTING IN THE VARIOUS FORMS/REQUESTS
PRIVACY NOTICE ON VIDEO SURVEILLANCE
PRIVACY NOTICE ON PROVIDING FIRST AID ASSISTANCE
PRIVACY NOTICE ON THE SELECTION AND RECRUITMENT OF CANDIDATES
PRIVACY NOTICE ON THE PROCESSING OF DATA OF CONTRACTUAL PARTNERS
If you consider that the information presented in the Privacy Notices is not sufficient or you do not find the information you are looking for, please contact us.
OTHER DATA CONTROLLERS THAT MAY PROCESS YOUR PERSONAL DATA
Within the Therme București complex, your data can also be processed by other data controllers, that you may interact with, in various situations:
One of the controllers operating inside Therme, that worth mentioning is Phyxd, Inc. (Phy), a US-based company. Phy is providing services for Therme’s visitors as an external and independent service provider, in specific locations, authorised by Therme.
Phyxd, Inc and its subsidiary Phy Romania SRL, process personal data for operating the Phy solution placed inside Therme Bucuresti, offering the visitors the chance to access its services.
The Phy Solution is a three-dimensional volumetric computer vision technology, that assesses postural patterns to help inform users and their health coaches and professionals regarding posture and musculo-skeletal issues and offers options for exercise programs to optimize human movement and performance.
Phy is the sole controller and is accountable for processing data in accordance with Romanian and EU privacy laws.
In relation to the Phy solution, Therme is not a controller nor a joint controller or processor.
For any privacy matters related to the Phy solution, please contact Phy at: privacy@phy.health
You can also check their privacy policy at:
https://www.phy.health/privacy-policy
https://www.phy.health/notice-of-privacy-practices
The data controllers mentioned above have full responsibility to fulfill all legal obligations under data protection laws.
This Privacy Policy does not concern data controllers other than Therme.
UPDATES OF THE PRIVACY POLICY
We will update the Privacy Policy to the extent necessary to reflect any changes in the processing of your personal data in relation to our processing activities and legislative changes that may occur in data protection laws.
Please visit this page periodically to make sure you always have up-to-date information.
Last update: April 2024