1. BASIC TERMS
1.1. The Company – JOIN UP RO S.R.L., legal entity registration number: 46332415 of 21/06/2022, address: 178 Vasile Lascar Street, 4th floor, sector 2, Bucharest, 020512, Romania. Company website address: joinup.ro.
1.2. Personal data – any information relating to an identified or identifiable natural person (‘Data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3. Data subject – is a natural person from whom the Company receives data and whose data it processes.
1.4. Recipient of the data – a legal or natural person to whom personal data are disclosed – whether or not it is a third party.
1.5. Provision of data – disclosure of personal data by transfer or otherwise making them available (except publications in the media).
1.6. Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.7. Automatic data processing – data processing operations performed in whole or in part by automated means.
1.8. Controller – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
1.9. Processor – a legal or natural person (other than an employee of the Data Controller) authorized by the Data Controller to process Personal Data.
1.10. Sensitive personal data – data related to a person’s race or ethnic origin, political, religious, philosophical or other beliefs, trade union membership, health, genetics, biometrics, sexual life. Consent to the processing of sensitive personal data must be explicitly expressed in writing, in another equivalent form, which clearly demonstrates the Data subject’s intention to process such personal data for one or more specific purposes.
1.11. Consent – a voluntary expression of the Data subject’s consent to the processing of his or her Personal data for a purpose that has been communicated to the Data subject.
1.12. Direct marketing – the activity of offering goods or services to persons by post, telephone or other direct means and (or) seeking their views on the goods or services offered.
1.13. Third party – a legal or natural person who is not a Data subject, the Data Controller, the Data Processor and persons who have been directly authorized by the Data Controller or the Data Processor to process the data.
1.14. The data controller and/or the procedure for his or her appointment may be laid down by law or other regulations.
1.15. Other terms used in this Personal Data Processing Regulation are specified in the Law on Personal Data Protection.
2. MAIN OBJECTIVES OF THE PROCESSING AND USE OF PERSONAL DATA
2.2. The purpose of the Regulations is to determine the principles and procedures for the Processing of Personal data in the Company, as well as to ensure the implementation of the provisions of the legal protection of Personal data specified in laws and other legal acts.
2.3. The purpose of the Regulations is to provide for the main technical and organizational measures of the Processing of Personal data and the implementation of the Data subject’s rights in the field of Data protection in order to ensure the legal protection of Personal data and the observance and implementation of laws governing it.
2.4. The Company processes the Personal data provided voluntarily by the Data subject by post, registered letter, e-mail, fax, telephone or directly to the Company’s or it’s travel agent’s point of sale, as well as via the Company’s website.
2.6. Information obtained from the Data subject may not be disclosed to Third parties without legal justification, except for persons who participate in or in any way facilitate the provision or implementation of tourism or other services ordered by the Data subject. The Personal data of the Data subject may also be transferred to the Data Processors with whom the Company has entered into a Personal data Processing or other agreement specifying the requirements for the processing and storage of Personal data. In this case, the legal liability for violations or losses of personal data processing lies with the Data Controller who is responsible for the violations or losses. In other cases, Personal data may only be disclosed to Third parties if required by law. Personal data may also be transferred to public administration and law enforcement authorities, if such an obligation of the Company is enshrined in law.
2.7. Purposes of the use of Personal data of the Data subject:
2.7.1. For ordering and administration of services provided by the Company:
126.96.36.199. For the identification of the Data Subject in reservation and other information systems;
188.8.131.52. For Data subject orders on the website;
184.108.40.206. For reviewing and administering claims and other inquires of the Data subject;
220.127.116.11. For the operative informing of the Data subject regarding amendments to the terms and conditions for the provision of services;
18.104.22.168. For communication with the Data subject in order to conclude agreement and for further cooperation between the Company and the Data subject;
22.214.171.124. For the provision of Personal data to tourism or other service providers in compliance with the orders of the Data subject.
126.96.36.199. Performance of other obligations.
2.7.2. To meet the requirements of public administration institutions and legal acts:
188.8.131.52. to meet the requirements for crossing the state border;
184.108.40.206. customs control requirements;
220.127.116.11. visa obtainment requirements;
18.104.22.168. to meet other border crossing requirements;
22.214.171.124. to carry out instructions from public administrations;
126.96.36.199. compliance with legislation requiring the provision of information to tourists and travelers;
188.8.131.52. for other purposes of preventing infringements.
2.7.3. For direct marketing purposes:
184.108.40.206. for the provision of tourism and other services;
220.127.116.11. for the cooperation and joint provision of tourism services with tourism service providers;
18.104.22.168. performance analysis to improve service quality;
2.7.4. For issuance of financial documents:
22.214.171.124. for the issuance of accounting documents regarding the purchased package travel and other tourism services.
2.8. Personal data is collected only in accordance with the law, by receiving it directly from the Data subject, requesting the necessary information from the subjects who process this Personal data or who have the right to provide this data, on the basis of agreements and legislation, by connecting to separate databases, registers and information systems in which Personal data are stored on the basis of data provision agreements or one-off requests. Personal data could be provided by the Data subject via the Company website (websites) and/or via the Company social network accounts (with confirmed official status).
2.9. By providing the Company with its Personal data, the Data subject voluntarily agrees that the Company processes the Personal data of the Data Subject in compliance with the requirements specified in the Regulations and other legal acts.
2.10. Data subjects on whose behalf another Data subject purchases a package travel or other tourism service by signing a tourism service agreement or other agreement agree and do not object to the Processing of their Personal data provided to the Company by the person signing the agreement. In this case, it is considered that the person who has signed the agreement, when providing the Company with data on another Data subject – the Beneficiary – behalf is correct and is submitted with the consent of the Beneficiary. The Beneficiary shall be deemed to agree and not object to the Processing of such Personal data provided to the Company.
2.11. The Company may disclose and transfer the Data subject’s Personal data to third parties outside the EU that the Company has engaged in the implementation and administration of the services ordered by the Data subject. The Company obliges such Third parties to keep the Personal data transferred to them confidential and secure.
2.12. The Company processes and stores all Personal data for no longer than is necessary to achieve the purposes of using the Personal data provided for in these Regulations.
3. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
3.1. When Processing Personal data, the requirements for the Processing of Personal data are observed:
3.1.1. Personal data are collected for specified and legitimate purposes and may not be processed for purposes other than those stated above for the purposes for which they were collected;
3.1.2. Personal data is Processed correctly, fairly and lawfully;
3.1.3. Personal data must be accurate and, if necessary for the Processing of Personal data, they must be constantly updated, inaccurate or incomplete data must be corrected, supplemented, deleted or suspended;
3.1.4. Personal data must be limited to what is necessary for their collection and Processing;
3.1.5. Personal data shall be stored in such a way that the identity of the Data subject can be established for no longer than is necessary for the purposes for which the data were collected and processed;
3.1.6. Personal data is Processed in accordance with the Personal Data Processing Law and other legal acts regulating the respective activities, where the requirements for the processing of Personal data are clearly and transparently defined;
3.1.7. Legislation allows the processing of Personal data to the extent that there are legitimate grounds for doing so. Thus, when processing Personal data, the Company relies on one of the following processing conditions: >
- Execution of the Agreement: in this case the Processing of Personal data is necessary to fulfil the Company’s contractual obligations towards the Data subject arising from the agreement concluded between the Company and the Data subject;
- Legal obligation: in this case, the Company must Process Personal data in order to fulfil a legal obligation, such as to store data for tax purposes or to provide information to a public authority or law enforcement authority;
- Legitimate interests: the Company will Process Personal data if such Processing coincides with the legitimate interests of the Company in conducting legitimate business in order to promote the growth of the Company to the extent that it does not infringe the interests of the Data subject;
- Consent: in certain cases, the Company may request the special permission of the Data subject to Process Personal data, and the Company will only Process Personal data in this way if the Data subject consents to such Processing.
4. FUNCTIONS, RIGHTS, AND OBLIGATIONS OF THE DATA CONTROLLER AND THE DATA PROCESSOR
4.1. The Controller has the following rights:
4.1.1. develop and adopt internal terms governing the Processing of Personal data;
4.1.2. to appoint a specialist or structural unit responsible for the protection of Personal data;
4.1.3. to authorize Data Processors for the Processing of Personal data;
4.2. The Controller has the following responsibilities:
4.2.1. to ensure that the requirements of the regulatory enactments regarding the legal protection of Personal data, which regulate the Processing of Personal data, are complied with;
4.2.2. to exercise the rights of the Data subject, the legal Protection of Personal data and in accordance with the procedures specified in these Regulations
4.2.3. to ensure the security of Personal data by implementing technical and organizational data security measures;
4.2.4. consult the authority responsible for the protection of personal data;
4.2.5. appoint a data protection officer if required by law;
4.2.6. to follow the procedures specified in legal acts, to report on data security violations.
4.3. The Controller performs the following functions:
4.3.1. analyses the technological, methodological and organizational problems of Personal data processing and makes decisions that are necessary for the proper Processing of Personal data;
4.3.2. provides methodological assistance to employees and data Processors for the purposes of Personal data Processing;
4.3.3. organizes training of employees on the issues of legal protection of Personal data;
4.3.4. perform other functions necessary for the implementation of the rights and obligations of the data Controller.
4.4. The data Processor has the rights and obligations and performs the functions provided for in the Personal Data Processing Agreement or another agreement.
4.5. The data Processor has the following rights:
4.5.1. to provide the Data Controller with proposals for technical and software improvements of data Processing;
4.5.2. to Process Personal data within the limits of the authorization provided by the Data Controller;
4.5.3. other rights provided for in the Personal Data Processing Agreement or another agreement.
4.6. The Data Controller has the following responsibilities:
4.6.1. implement appropriate organizational and technical data protection measures designed to prevent the accidental or unlawful deletion, alteration, disclosure of Personal data and their unlawful processing.
4.6.2. to acquaint employees who have been re-employed with the Regulations;
4.6.3. to ensure that access to Personal data is granted only to duly authorized persons;
4.6.4. to ensure that Personal data is stored within the time limits provided by law;
4.6.5. to ensure that Personal data is processed in accordance with the Regulations and the requirements of the legislation on the legal protection of Personal data.
4.6.6. to respect the confidentiality of Personal data, not to disclose, not to provide the processed information, not to create conditions for any person who is not authorized to use such information, to access this data by any means and to get acquainted with it;
4.6.7. assist the Controller in securing the obligations incumbent on him;
4.6.8. if required by law, appoint a data protection officer;>
4.6.9. immediately notify the Controller of data security breaches;
4.6.10. comply with all obligations set out in legal acts.
4.7. The Processor performs the following functions:
4.7.1. implements Personal data security measures;
4.7.2. processes Personal data in accordance with the requirements of legal acts and the instructions of the Controller;
4.7.3. perform other functions specified by law.
5. RIGHTS OF THE DATA SUBJECT
5.1. The Data Subject has the right:
5.1.1. to know (be informed) about the processing of your Personal data;
5.1.2. to get acquainted with your Personal data and the way they are processed;
5.1.3. to transfer your Personal data (you have the right to receive a copy of your Personal data in a structured, printed format);
5.1.4. to request the correction, deletion of your Personal Data or the suspension of the processing of Personal Data, except for their storage, if the data is processed without complying with the regulatory enactments regarding the legal protection of Personal data;
5.1.5. to object the processing of your Personal data;
5.1.6. restrict the processing of your Personal data or do not consent to the processing of your Personal data / withdraw consent, unless otherwise provided by law and the Regulations.>
5.2. You also have the right to lodge a complaint to a data protection authority on your personal data processing issues. For more information, please contact your local data protection authority in the European Economic Area (EEA). We recommend you contact us to resolve all your questions and inquiries to the extent permitted by law, and we will reply promptly. The following paragraphs describe a way to implement some of your rights under the provisions of the General Data Protection Regulation.
5.3. ACCESS TO PERSONAL DATA:
5.3.1. When submitting an identity document in accordance with the procedures prescribed by law or by electronic means of communication that ensure proper identification of a person, the Data subject has the right to get acquainted with his/her Personal data in the Company free of charge and to receive information from which sources and Personal data are collected, the purposes for which they are processed and the recipients to whom they have been submitted during the last year. Upon receipt of the Data subject’s request, the Company shall provide the requested data in writing or indicate the reasons for the refusal to comply with this request no later than within 30 calendar days from the date of receipt of the Data subject’s request.
5.3.2. You can request access to your Personal data or make corrections by writing to us at the email address provided in the “CONTACTS” section. If the information is not available or changed, we will inform you of the reasons for that. Please note that we may ask you to verify your identity before responding to such requests.
5.4. The Data subject also has the right to refuse to provide Personal data, but in this case the Company will not be able to provide the desired services to the Data subject, and the Data subject may not bring claims for non-provision of the service.
5.5. DATA DELETION:
5.5.1. You have the right to require deletion of your Personal data by sending us an email to the email address provided in the “CONTACTS” section. We will process your request in accordance with applicable data protection laws. We may need to retain certain information for record-keeping purposes and/or to complete transactions that you began prior to requesting any deletion of Personal Data. You also can revoke your consent to Personal data processing at any time. In the event that you withdraw your consent to Personal data processing and we will have no legal basis to continue processing your data, we will stop processing your Personal information. If we have legal grounds for processing your information, we have the right to continue using Personal data within the limits provided by law.
6. PROCESSING OF PERSONAL DATA
6.1. The Company processes automatically and manually:
6.1.1. Name, surname, personal identification number, residential address, e-mail address, mobile or fixed telephone number, data from the identity document, date of issue and validity, place, number, date of birth of the Data subject, Representative of the Data Subject or Beneficiary, gender, nationality, issuing country, data of the credit/debit card or other means of payment, information on special needs (applicable only and only to those Data subjects for whom it is relevant), Internet Protocol address (IP), date and time when the Data subject visited the Company’s website. >
126.96.36.199. In addition to the information you provide, we may also collect information about your use of our services using your device and other software on your device, such as Device Data, hardware model, IMEI number, and other unique device ID, MAC address, operating system version and the settings of the device you are using to access the service. Login information: usage time and duration, search query terms you enter, any information stored in cookies that we have set on your device. Location information: GPS signal from your device or information about nearby WiFi access points and cell towers that may be provided to us if you use the search feature. Other information about which applications you use, what websites you visit, and how you handle the content that is offered on our website.
6.2. Personal data shall be kept for no longer than is necessary for the purposes of the processing, taking into account the type of document or file in which the data are contained. At the end of the storage period of the document in which these data are indicated, a decision on their liquidation shall be made, and the document shall be liquidated in accordance with the procedures prescribed by law. Permanently stored documents containing Personal data must be sent for archiving in accordance with the procedures prescribed by law.
7. PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF DIRECT MARKETING
7.1. Personal data may only be processed for direct marketing purposes, only after the Data subject has given his or her consent. Consent to the processing of personal data for direct marketing purposes can be given in various ways: by deciding to subscribe to the Company’s newsletters, by expressing a wish in writing, in a contract, on a website or in another data storage medium, by expressing consent (by signing, clicking on the relevant box, in other ways) to receive commercial and other services provided by the Company and other offers related to the work of the Company (games, lotteries, etc.).
7.2. If the Company, having provided services, has previously received a personal e-mail from the Data subjects, these data may be used without the separate consent of the Data subject only for the purposes of marketing the Company’s services. The Data subject has the right to refuse the use of Personal data for marketing purposes by electronic or registered letter, as well as in another express form, informing the Company thereof.
7.3. Special consent selected by the Data subject may be displayed when the Data subject consents to the processing of Personal data for the purposes of direct marketing, by visiting the Company’s website, browsing third party websites and social networks, and using mobile phone applications.
7.4. The Data subject’s Personal data for direct marketing purposes is stored for 3 years or less if the Data subject’s request for refusal to receive direct marketing notifications is received.
8. POLICY FOR COOKIES AND OTHER WEBSITE INDICATORS
8.2. Cookies are text information that a website sends to a browser cookie file on your computer’s hard drive. This way, the website recognizes you when you visit it again, or if it contains information that is important to you. This includes information about the internal pages you have visited, what menu items you have selected, the special information you have entered in the forms included on this website, the time and date of your visit.
8.5. The Company may also use not only cookies but also Website indicators. An indicator on a website is an electronic image called a “single pixel” (1×1) or GIF image. The website indicator recognizes certain types of information on the visitor’s computer, such as the cookie number, the time and date the website was visited, and a description of the website that the indicator is on. You can deactivate any website indicators by opting out of the cookies associated with such website indicators. Website indicators can be used to determine if messages sent to you are open.
9. PROTECTION OF PERSONAL DATA
9.1. The Processing and protection of Personal data within the limits of its competence is ensured by every employee of the Company.
9.3. To prevent the accidental or unauthorized destruction, alteration, disclosure, and other unauthorized Processing of Personal Data, persons performing Personal data Processing functions must store documents and data files appropriately and securely and avoid making unnecessary copies.
9.4. Copies of Company documents containing Personal Data must be disposed of in such a way that these documents cannot be restored, and their contents cannot be recognized. Data subjects’ documents and their paper and/or electronic copies, archives or other files containing Personal data shall be stored in lockers, drawers or safes, and provided that they are not accessible and are protected with reasonable effort.
9.5. Company employees whose computers store Personal data must use a password. Passwords are unique, they must be created from at least 8 characters without the use of personal information. Passwords must be changed regularly and kept confidential. Passwords may not match the personal data of an employee of the Company or his/her family members. Passwords must be changed if necessary (when an employee changes, there is a danger of computer intrusion, etc.).
9.6. The computers of the Company’s employees, which store Personal data, must have an automatically updated antivirus program.
9.7. Files on the computers of employees of the Company, in which Personal data is collected, may not be accessible to users of other computers whose activities do not use Personal data.
9.8. Every employee of the Company who Processes Personal data signs a commitment to confidentiality.
9.9. An employee of the Company must immediately inform the management of the Company or its authorized representative of an event that may pose a threat to the security of Personal data and make every precautionary effort to avoid such cases.
10. LEGAL LIABILITY
10.1. The Data Subject shall provide the Company only with the correct Personal data of itself, the persons it represents and the Beneficiaries.
10.2. The Data Subject must immediately inform the Company about the relevant changes in the Personal Data of the Data subject or the Beneficiary.
10.3. The Company shall not be liable for damages caused to the Data subject or third parties if the Data subject, indicating his/her personal data, the person he/she represents or the Beneficiary, has provided erroneous, inaccurate or incomplete Personal Data or has not duly informed about its changes.
11. FINAL TERMS
11.2. Based on these Regulations, disputes shall be settled in accordance with the laws of the Republic of Romania.
11.3. All disputes or disputes arising between the Parties regarding or related to these Regulations shall be settled in the competent court of the Republic of Romania according to its jurisdiction.
JOIN UP RO S.R.L.
178 Vasile Lascar Street, 4th floor, sector 2, Bucharest, 020512, Romania
Email: [email protected]