POLICY ON THE PROCESSING OF PERSONAL DATA

I. IDENTIFICATION DATA OF THE CONTROLLER AND PURPOSE OF THIS POLICY

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), the company PANZER TRAVEL SRL having its registered office in Bucharest, Istriei str. no. 6, blk. 21D, sc. A, flr. 5, apt. 34, District 3, postal code 031945, tel. +40726105360; e-mail: office@panzertravel.com, tax registration number 41016080, registration number in the Trade Register J40/5490/2019, holder of the Tourism License no. 2070/27.08.2019, for Travel Agency PANZER TRAVEL, represented by Mr. Ioana Gabriel – Director, is a data controller (“the Controller” or “We”).

The protection of your personal data is very important to us. Therefore, in order for your data to be processed securely and in accordance with the applicable legal provisions, we have made every effort to implement the adequate and reasonable, technical and organizational measures necessary to protect your personal data.

We encourage you to carefully read this Policy on the protection of personal data (the ”Policy”) in order to be informed of how we will process your personal data, as well as what your rights are under the law on the protection of personal data and how you can exercise such rights.

In addition, after reading the Policy, you will be informed about the categories of personal data that we will process, the purposes for which we will retrieve your personal data, what is the basis of the processing and, last but not least, the period for which we will store your personal data.

If you do not agree with those described in the Policy, please do not use our services.

II. DEFINITIONS

  • (i) “Data subject” means any identified or identifiable natural person whose personal data are processed by the Controller. For example, customers, potential customers are data subjects.
  • (ii) “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • (iii) “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • (iv) “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the purpose of this Policy, Personal Data are listed in point III:

The other terms used in the Policy have the meaning conferred by the GDPR and other applicable legal provisions.

III. CATEGORIES OF PERSONAL DATA PROCESSED

In order to fulfill the processing purposes defined below, we process several categories of personal data (“Personal Data”), as follows:

  • (i) Personal data provided directly by you as a result of requesting and concluding a contract for the sale of travel services: identification data and contact details (surname and first name, telephone number, home address, e-mail address, identity card series and number, passport series and number, Personal Identification Number, birth date, sex);
  • (ii) Personal data obtained from third parties (court, public authorities or external third parties).

IV. PURPOSES AND LEGAL GROUNDS FOR PROCESSING

Personal data are processed, in principle, for the following purposes:

  • 1) For the conclusion and performance of a contract (article 6 paragraph (1) letter b) of the GDPR):
    • (i) Provision of travel services;
    • (ii) Resolving any issues or complaints regarding the provision of travel services, including their assignment;
    • (iii) Replacement of travel services, in accordance with the legal provisions in force;
    • (iv) Reimbursement of amounts related to travel services, in accordance with the legal provisions in force;
    • (v) Providing support/assistance services, providing answers to your questions sent to the Controller’s contact details regarding the travel services or any other requests related to our services.
  • 2) For the fulfillment of our legal obligations, such as tax and financial-accounting obligations (article 6 paragraph (1) letter c) of the GDPR).
  • 3) In our legitimate interest or that of our partners, always ensuring that the interests, rights and fundamental freedoms of our clients prevail. For example, we will process your personal data both to prevent and combat fraud and possible crime, as well as for statistical and analysis purposes of the travel services we provide for your benefit. Thus, it is possible to request and analyze your opinion about the travel services we provide for your benefit in order to manage and constantly improve the features of our services (art. 6 paragraph (1) letter f) of the GDPR).
  • 4) Based on your express consent (article 6 paragraph (1) letter a) of the GDPR), if you wish to share your personal data to third parties or for the purpose of commercial communications (marketing, advertising, conducting promotional campaigns, sending newsletters, etc.). If you no longer wish to receive information and/or commercial communications (such as promotions or offers), you may at any time unsubscribe, by sending us a notice in this respect, and we will immediately stop sending these categories of messages.

V. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

For the purpose of performing the contract concluded between us and you, we will provide, when necessary, certain personal data to the following categories of recipients:

  • (i) Providers of payment/banking services;
  • (ii) Public Authorities (Territorial Labor Inspectorate);
  • (iii) Our partners, for the provision of travel services;
  • (iv) Service providers (accounting);
  • (v) Insurers (insurance companies), if applicable.

Also, whenever the authorities request personal data from us, indicating the legal basis of this request, we will comply with this request. Please note that we will transmit the specified personal data absolutely necessary, respecting the principle of data minimization.

Recipients are prohibited from using personal data to which they have access for their own or commercial purposes or for transmission to third parties.

Personal data will be disclosed to third parties only (1) when they are necessary for the provision of the services requested by you, in situations where we work with third parties (service providers), (2) when there is your express and unequivocal consent, (3) when they have been requested by the competent public authorities, and (4) for the fulfillment of a legal obligation.

VI. STORAGE PERIOD

We will store Personal Data for the period necessary to fulfill the purposes indicated in point IV.

Therefore, the storage period of your personal data varies depending on the purpose of processing, as follows:

  • 1) If you have purchased travel services, we will process Personal Data for the period necessary to provide the Services, as well as after the conclusion and full performance of the contract concluded with you, until the expiration of the limitation periods and of the periods imposed by financial-accounting laws. We will also use Personal Data until completion of the settlement of any complaints or disputes related to the provision of travel services to you.
  • 2) If you have given your consent to receive regular information about the travel services we provide, we will process Personal Data until you unsubscribe.

Once the data is no longer needed for the fulfillment of these purposes, we will (i) destroy or (ii) anonymize it and keep it exclusively for statistical, historical or scientific research purposes.

You can also request at any time, and we will immediately comply with your request, that some or all of the Personal Data stored by us be erased. You can also request to close your account at any time. As a result of such requests, we inform you that we will keep only those personal data that the legislation in force or our legitimate interests require us to keep.

VII. YOUR RIGHTS AS DATA SUBJECT

Your rights under the GDPR are as follows:

  • 1) The right of access to personal data. Therefore, you have the right to be informed about the processing of Personal Data, as well as the right to request a copy of the Personal Data subject to processing, as well as information on how Personal Data is managed, without prejudice to the rights and freedoms of others;
  • 2) The right to obtain the rectification without delay of inaccurate or incomplete Personal Data, following a request from you;
  • 3) The right to erasure of personal data (“the right to be forgotten”). You have the right to obtain the erasure of Personal Data, without undue delay, when:
    • (i) Personal Data are no longer necessary for the purposes for which they were collected or processed;
    • (ii) You have withdrawn your consent on which the processing is based and there is no other legal ground for the processing;
    • (iii) You objected to the processing and there are no overriding legitimate grounds for the processing. In the case of processing for marketing purposes, you may object to the processing at any time, without the need for justification in this regard;
    • (iv) Personal data has been processed unlawfully;
    • (v) Personal data must be erased in order to comply with a legal obligation incumbent on the Controller.
  • However, the right to erasure of Personal Data does not apply when processing is required in the following cases:
    • (i) for the exercise of the right to freedom of expression and information;
    • (ii) for compliance with a legal obligation of the Controller;
    • (iii) for reasons of public interest in the field of public health;
    • (iv) for archiving purposes in the public interest, for the purpose of scientific or historical research or for statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
    • (v) for the establishment, exercise or defense of legal claims.
  • 4) The right to restriction of processing. This right may be exercised when:
    • (i) you contest the accuracy of Personal Data;
    • (ii) the processing is unlawful, but you do not want your Personal Data to be deleted;
    • (iii) Personal data are no longer necessary for the original purpose, but cannot be erased yet, for legal reasons (there is a legal obligation to keep them for a certain period);
    • (iv) a decision on your objection is pending.
  • If the processing has been restricted, Personal Data may, except for storage, be processed only with your consent or for the establishment, exercise or defense of a legal claim, as well as for the protection of the rights of another natural or legal person or for reasons of public interest.
  • 5) The right to Personal Data portability, which implies the right to receive Personal Data in a structured, commonly used and easy-to-read format, as well as the right to transmit those data to another controller, to the extent that the conditions provided by law are met.
  • 6) The right not to be subject to a decision based solely on automated processing, including profiling, with legal effects or similar significant effects on you;
  • 7) The right of opposition, according to which you can oppose the processing activities, under the law. When the processing of Personal Data is for the purpose of direct marketing, you have the right to object at any time to the processing of Personal Data concerning you, without the need for justification in this respect, including objection to profiling, to the extent it is related to that direct marketing.
  • 8) The right to go to Court for the protection of your rights and interests, if you consider that the management of Personal Data has been carried out without complying with applicable law.
  • 9) The right to file a complaint with the National Supervisory Authority for Personal Data Processing, with headquarters in Bd. G-ral. Gheorghe Magheru, nr. 28-30, Sector 1, Bucharest, tel. +40.31.805.9211 or +40.318.059.212, fax: +40.31.805.9602, website: www.dataprotection.ro, email: anspdcp@dataprotection.ro.
  • Without prejudice to your right to contact at any time the National Supervisory Authority for Personal Data Processing, please contact us in advance. We assure you that we will make every effort to resolve any issue amicably.
  • Thus, for any additional information related to the protection of Personal Data, respectively to the extent that you consider that Personal Data is not processed in accordance with applicable law and the Policy or if you wish to file a complaint about the manner of processing Personal Data, please contact the Controller at the following contract details:
    • (i) Postal address: Bucharest, str. Istriei, nr. 6, bl. 21D, sc. A, et. 5, ap. 34, sector 3, postal code 031945;
    • (ii) e-mail address: office@panzertravel.com;
    • (iii) telephone number: +40726105360.

VIII. SPECIAL PROVISIONS CONCERNING THE PROCESSING OF PERSONAL DATA OF PERSONS UNDER THE AGE OF 16

The Controller does not process the Personal Data of persons under the age of 16, even when based on their consent.

In the event that we find that we have accidentally processed Personal Data belonging to a person under the age of 16, including for purposes that require consent, and there is no consent from the holder of parental responsibility, we will erase that data in the shortest time possible.

However, we may collect Personal Data from persons under the age of 16, in special cases, when there is the express consent given by parents or legal representatives.

IX. AMENDMENT OF THE POLICY

We reserve the right to update the Policy whenever necessary, for example, when there are legislative changes in the processing of personal data, by publishing a new version on the Website. All updates and changes to the Policy will take effect from the time they are posted on the Website. The date of the last revision of the Policy is 12th of november 2021.

You should check this page from time to time to ensure that you understand any changes to this Policy. We may notify you of significant changes to this Policy by email.