Respect for the right to protection of personal data

Respect for the right to protection of personal data as well as the right to privacy is one of the fundamental missions of Hercesa Cismigiu SRL, owner of Hotel Cismigiu, and of Hercesa Vivenda SRL, the management company of Hotel Cismigiu.

We therefore take all necessary steps to process your personal data in accordance with the principles established by the applicable data protection legislation in Romania, including Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC ( “GDPR”).

Personal data means any information relating to an identified or identifiable natural person ( “data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity.

The processing of personal data is done by the two joint operators: Hercesa Cismigiu SRL headquartered in 1 Baia de Arama Street, Chamber 2, 2nd District, Bucharest, registered under no. J40/8016/2009 at the Trade Registry, having Tax ID Code RO25787821 and Hercesa Vivenda SRL, headquartered in 1 Baia de Arama Street, Chamber 1, 2nd District, Bucharest, registered under no. J40/11030/2008 at the Trade Register, having Tax ID Code RO24093414.


If you are a client or potential client

We collect personal data from most interactions with you, and in other aspects of our business. The categories of data we process are the following:

  1. data required to make reservations (for example, name, surname, e-mail address, phone number);
  2. data related to the guest registration form, required under national law (eg, nationality, address, date of birth);
  3. bank card details (card type, card number, credit / debit card holder’s name, expiry date and security code);
  4. information about the client’s stay, including date of arrival and departure, special requirements, preferences;
  5. information you provide regarding your marketing preferences;
  6. personal data provided for newsletter subscription;
  7. information about the vehicles that you may bring on our property (e.g. registration number);
  8. data collected from the access cards (entry and exit time);
  9. information collected by various third parties (e.g. travel agencies, event organizers) and sent to Hercesa Vivenda SRL (rooming list, guest list events);
  10. data necessary for the provision of additional services;
  11. reviews and opinions about our services;
  12. any other information you choose to provide us with.

Also, surveillance cameras and other security measures on our properties can capture or record images of guests in public places (such as hotel entrances, restaurants or hallways/lobbies), as well as your location data (through the images captured by the surveillance cameras).  

You can always choose what personal data you provide us. However, if you choose not to provide certain personal data, if the basis for our processing is the  compliance with a legal obligation, contractual obligation or obligations to conclude a contract, we will be unable to provide you with certain services, for example: (i) if you do not want to disclose your full name, e-mail address and/or telephone number when making a reservation, we will not be able to make the reservation, or (ii) given that in the registration form which you are required to fill in on arrival you will need to provide some mandatory personal data, should you choose not to fill in those mandatory fields, we will not be able to accommodate you.

If you are a potential employee

We collect the information sent through your resume and any other information submitted with your resume and / or provided during the interviews in which you participated..

If you are a visitor in our location

We collect your name, surname, and your ID card’s series and number.

Surveillance cameras can also capture or record images of visitors in public places (such as the entries in the hotel or in restaurants or lounges).

If you are a user of our website

No personal data is required to read the information on the websites.

However, for the technical operation of the portal, we collect the time and date when the website was accessed and the IP address that accessed it.

Some personal data is required for the use of some services (such as online bookings, job applications). For details, please refer to the sections corresponding to the operation done on the website.

If you are a representative or contact person of our suppliers or business partners

We collect your name, surname, position, and any other data provided by you or the company that you represent.

If you are an employee

Please read our Employee Privacy Policy brought to your attention at the time of employment and available at any time at the Human Resources Department.


We protect the confidentiality of personal data of children under 16. In case you are under the age of 16, you must obtain the consent or permission of your parent or guardian for any personal data you provide.


The term “special categories of personal data” refers to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data, data on health or data on sexual life or sexual orientation.

Generally, we do not collect sensitive information unless you want to disclose it. We can use the health data you provide to better serve and meet your special needs (e.g., to prepare food without specific ingredients to which you are allergic, to provide easy access to people with disabilities).


If you are a client

  • Hotel and restaurant reservations, or requests for offers sent by you for certain organized events or events that can be organized.

Purpose: we process your personal data (i) to make a reservation in the hotel / restaurant (ii) to respond to your requests for offers  

Basis: Conclusion of a contract

  • Check-in

Purpose: we process your personal data for your registration / accommodation in our hotel.

Basis: Upon check in, according to the legal provisions in force, you are required to fill in a guest registration form containing the minimum data necessary to us to be able to accommodate you.

  • Client service (this service includes, inter alia: hotel shuttle service, concierge service, cleaning service, laundry service, etc.)

Purpose: We process your personal data to provide you with a pleasant experience in accordance to your standards and the hotel’s standards.

Basis: Performance of the hotel service contract

  • Profiling

Purpose: in order to provide customized services, some of your special preferences (e.g. whether you prefer rooms on the upper floors or the lower ones, whether you like a certain type of wine, etc.) are stored so that when you return, we will already know what you like

Basis: Your consent

  • Feedback:

Purpose: we process your personal data to ensure that you have had a pleasant experience in our units.

Basis: our legitimate interests to constantly improve the services we offer and to provide services which are appropriate and in accordance with the standards of our customers.

  • Marketing:

Purpose: we process your personal data for marketing purposes, such as commercial newsletters and marketing communications on new products and services or other offers that we think may be of interest to you

Basis: we rely on a legitimate interest in promoting our services by submitting the offers which we consider to be of interest to you (see “Right to object” under “Your rights”)

If necessary, in accordance with the applicable law, we will obtain your consent before processing your personal data for direct marketing purposes. In this case, we hereby notify you that you may at any time withdraw your consent to a processing for marketing purposes, in which case you will not receive any marketing communications from us.

We will include an unsubscribe link, which you can use if you do not want to receive any more messages from us.

Also, when organizing certain events in our hotels and restaurants, we may take some photos, and some of these could also be distributed in the online environment to show others what our events are like. In any case, because we respect your right to privacy, we will make efforts to avoid focusing on certain people and we will do everything in our power to inform you that photos will be taken at the event (for objections to our photos, see “Right to oppose” in the “Your rights” section)

  • Other communications: by e-mail, mail, phone or SMS

Purpose: these communications are made for a specific reason such as: (i) to respond to your requests, (ii) if you have not completed an online reservation or a request for an offer, we may send you an e-mail to remind you to complete the process, (iii) to inform you about the manner in which complaints and / or incidents which may have occurred during your stay have been resolved.

Basis: our legitimate interests to provide services at the desired standard by addressing any claims / complaints and to ensure our full availability.

  • Analysis, improvement and research:

Purpose: To ensure a constant qualitative development of our services, we carefully analyse each complaint / suggestion from you so that we can compile statistical reports to identify problems and find the best solutions to remedy them.

Basis: We rely on our legitimate interest to provide services which meet your and Hotel Cismigiu’s standards.

If you are a visitor in our location

Purpose: We process your personal data for the protection of people and goods within our hotel.

Basis: Our legitimate interest to ensure both the protection of the persons in the hotel and of the property of the clients/ staff / hotel.

If you are a user of our website  

Purpose: To monitor traffic in order to identify errors and / or any other website malfunctions

Basis: We base this data processing activity on our legitimate interest, namely to constantly improve our website and provide you with a fully functional website by fixing any errors.

If you are a representative or a contact person of our suppliers or business partners

Purpose: Conducting contractual relations with suppliers and business partners.

Basis: The performance of a contract.

If you are a potential employee

Purpose: Assessing your application for employment.

Basis: The conclusion of a contract.

If you are an employee

Please read our Employee Privacy Policy brought to your attention at the time of employment and available at any time at the Human Resources Department.

For all  abovementioned categories of persons, we can also process your data in the context of the following activities:

  • Restructuring, internal reorganization or sale of assets or shares:

Purpose: We process your information for the abovementioned operations.

Basis: Our legitimate interest to carry out the operations, especially if they would be impossible to do without the processing of your data

However, we asssure you that this possible processing will be carried out in accordance with this policy and by implementing measures in order to ensure the confidentiality of your data.

  • Security:

Purpose: We process personal data for the security of goods and the physical integrity of persons.

Basis: we rely on our legitimate interests to protect your property and the hotel’s as well as to protect the persons in our hotel.  

  • Legal grounds:

Purpose: In some cases, we must process information which may include personal data in order to resolve legal disputes or complaints as well as investigations and to comply with the applicable legal regulations, to implement an agreement or in order to comply with requests from public bodies to the extent that these requests meet the legal requirements.

Basis: The reasons for the processing may be represented by a legal obligation (where we are legally required to disclose certain personal data to public authorities) or by our legitimate interest to resolve potential disputes and / or complaints.


To provide you with the expected hospitality level and high-quality services, your data may be sent to our service providers and other third parties, as shown in detail below:

  1. Providers:  in order to provide the requested services, in some cases we will need to pass some of your personal data to the providers, and they have the capacity of processor and process the data in our name and behalf and in accordance with our instructions (e.g., software, IT, accounting services, medical services providers).
  2. Group events or meetings: If you visit our hotels within a group or a conference, the information required for the planning of the meeting and event may be shared with the organizers of these meetings and events and, where appropriate, with the guests who organize or participate in the meeting or event.
  3. Business partners:  In some cases, we associate with other companies to provide you with products, services or offers. For example, we can arrange for you to hire a car or we can intermediate optional pastry services and kitchen products that exceed our offer.
  4. Authorities and / or public institutions: (i) to comply with legal provisions, (ii) to respond to their requests, (iii) for reasons of public interest (e.g. national security). For example, according to the rules set out in Section “For what purpose and on what basis is your personal data processed” letter b) any hotel unit is obligated to send each client’s registration form to the competent authorities.

Your privacy is important to us, which is why, where possible, the transmission of personal data in accordance with the above shall be done only pursuant to a confidentiality agreement from the recipients in order to ensure that this data is kept safe and that such information is provided in accordance with applicable laws and applicable policies. In any case, we will always send to the recipients only the information strictly necessary for achieving that purpose.


To provide you with the expected level of hospitality and the best level of service, we may collect information about you from our business partners and other third parties, as shown in detail below:

  1. Business partners:  such as card parteners, social networking services that are consistent with your own settings for these services, travel agencies, event organizers.

In any case, we ensure that your data collected from third parties will be processed under the same conditions as if it were collected directly from you. We will also collect only what is necessary for our purposes. (see Section “ For what purpose and on what basis is your personal data processed”).

In addition, when we first contact you, we will firstly let you know the source from which we obtained your personal data.


We may transfer your data to our service providers and other third parties that may be based in countries other than the one you reside in, and in some cases in countries outside the EU / EEA.

Although data protection laws in these countries may be different from those in our country, we will take the necessary steps to ensure that your personal data is processed in accordance with this policy and in accordance with applicable law.


If you provide us with the personal data of other individuals, please let them know before this disclosure and please inform them of how their personal data will be processed as described in this Privacy Policy.


Your personal data is retained for the full duration of the purposes detailed in this Policy, if a longer period of retention is not required or permitted by the applicable law.

We constantly review the need to keep your personal data, and to the extent that processing is no longer required and there is no obligation under the law to keep your personal data, we will delete / destroy your personal information as soon as possible and in such a way as to prevent subsequent recovery or reconstitution (e.g., we will delete / destroy all data of persons not hired after having been interviewed, unless there is a serious prospect of future employment).

If personal information is printed on paper, it will be destroyed in a way that eliminates it completely, and if it is stored on electronic media, it will be erased by technical means to ensure that the information can no longer be subsequently recovered or reconstituted.


As the data subject, you are entitled to the following rights under GDPR:

  1. Right of access: You may request (i) a confirmation that your personal data is processed or not, and, if so, access to such data and information about the data, and (ii) a copy of your personal data that we may hold (Article 15 of the GDPR);
  2. Right to rectification: You can inform us of any changes to your personal data or you may ask us to correct the personal data that we hold about you (Article 16 of the GDPR);
  3. Right to erasure ( “right to be forgotten”): In certain circumstances (such as (i) where data has been collected illegally, (ii) the date for data storage has expired, (iii) you have exercised the right to oppose, or (iv) data processing was done on a consent basis and you have withdrawn your consent), you may ask us to delete the personal data we hold about you (Article 17 of the GDPR);
  4. Right to restriction of processing: In certain circumstances (such as when you are contesting the accuracy of such data or the basis of the processing), you may require us to restrict your data processing for a certain period (Article 18 of the GDPR);
  5. The right to data portability: You have the right to ask us to send your personal data to third parties or directly to you (art. 20 of GDPR);
  6. Right to object: In certain circumstances (such as the processing that has a legitimate interest as legal basis), you may request that we no longer process your data (Article 21 of the GDPR).
  7. If we process your personal data based on your consent, you may withdraw this consent.

If we process your personal data based on your consent, you may withdraw this consent at any time. In this case, your data will no longer be processed by us, unless a legal provision  forces us to keep and archive it. In any case, we will inform you if there is such a legal requirement and we will indicate it expressly .


We take your personal data security seriously, which is why we have implemented important security measures necessary to protect against unauthorized access to data or unauthorized modification, disclosure or destruction. This requires an internal review of the data collection, storage and processing practices and of the security measures, as well as physical security measures to protect against unauthorized access to systems where we store personal data.

We also require our service providers and business partners to take all necessary steps to protect against unauthorized access to data or unauthorized modification, disclosure or destruction.


Our website contains links to third party sites. Please note that we do not take responsibility for the collection, use, storage, sharing or disclosure of data or information by such third parties. If you use or provide information on third-party websites, the terms and privacy policies of those sites apply. We encourage you to read the privacy policies of the websites you visit before submitting any personal information.

The use of internet services provided by Hotel Cismigiu falls within the terms of use and privacy policy by ISPs (Internet Service Providers). You can access these terms and policies using the links on the service’s login page or by visiting the website of the provider.


If you have any questions or concerns regarding the processing of your personal data or if you wish to exercise any of the abovementioned rights, you are welcome to contact us using our contact form available on the website or by sending us an e-mail at the following address:, and we will reply  within 30 days of the receipt of the request.

Also, to the extent that you do not have electronic means or do not want to use them, you can submit a written request at our registered office in 1 Baia de Arama Street, Chamber 2, 2nd District, Bucharest.

To the extent that you are not satisfied with the manner in which your request has been resolved, you may file a complaint with the National Supervisory Authority for Personal Data Processing.

Policy Changes

From time to time, this Privacy Policy may change in accordance with the amendments to the data policy legislation or our services or organization. If we make any material changes to this Policy, we will publish a link to the revised policy on the main page of our website. If we make significant changes that will impact your rights and freedoms (for example, when we begin processing your personal data for purposes other than those specified above), we will contact you before we begin this processing.

To help you track the most important changes, we will include a history of the changes below to help you identify the changes to this Policy.