DATA PROTECTION POLICY
One of the fundamental missions of Hotel Tarnava 2000 Kft, the owner of Küküllő Hotel (hereinafter referred to as the Hotel or the Company) is the protection of personal data and the right to privacy.
Accordingly, we do our utmost to ensure that your personal data is processed in accordance with the principles set out in the data protection legislation applicable in Romania, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (“GDPR”).
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The processing of personal data is carried out by Hotel Tarnava 2000 Srl, with registered office at 16 Városháza tér, Székelyudvarhely, Harghita County; tax number: RO13640850, company registration number: J19/8/2001.
Küküllő Hotel is the controller of personal data under the GDPR, so it determines the method and purpose of processing personal data.
WHAT PERSONAL DATA DO WE PROCESS?
If you are a Customer or a potential Customer
We collect personal data because of our many interactions with you, as well as from other aspects of our business activities. The categories of data we process are as follows:
Data required for booking (e.g. name, surname, first name, email, telephone).
Arrival-departure registration data required by national law (e.g. nationality, address, date of birth).
Bank card data (card type, credit/debit card number, name of the holder, expiry date and security code).
Information about the customer’s stay, including arrival and departure dates, special needs, preferences.
Information provided in relation to marketing preferences.
Personal data provided by you when registering and subscribing to our newsletter.
Information about vehicles you bring to our property (e.g. registration number).
Data collected from access cards (entry and exit times).
Information collected by various contractual partners (travel agencies, event organizers) and transmitted to the Hotel (room list, event guest list).
Data necessary for the provision of additional services, if applicable.
Ratings and opinions about our services.
Any other information you provide to us.
Surveillance cameras and other security measures in our properties may record or capture images of guests in public places (such as at the Hotel's entrances, restaurants or corridors) as well as your location data (via images captured by surveillance cameras).
You can always choose what personal data you wish to provide to us. However, if you choose not to provide certain personal data, where our request is based on a legal obligation, a contractual obligation or the performance of an obligation necessary to enter into a contract, we may not be able to provide you with certain services, for example: (i) if you do not wish to provide your full name, surname, email address or telephone number when making a reservation, or (ii) given that you are required to provide certain legally required personal data on the arrival and departure registration form that you fill out when checking in to our Hotel, and if you do not wish to fill in these mandatory fields, we will not be able to check you in to our Hotel.
If you are a potential employee
We collect information from your submitted resume, other information you submit with your resume, and/or from interviews with you.
If you are a visitor to our location
We collect your first name, last name, ID number, and serial number.
Surveillance cameras may also take or record images of visitors in public areas (e.g., hotel entrances, restaurants, or lobbies).
If you are a user of our website www.kukullo.ro
No personal data is required to read the information on the website.
However, for the technical operation of the portal, we collect the time and date of access to the website, as well as the IP address from which our website was opened.
Certain personal data is required to use certain services (e.g. online reservations).
If you are a representative or contact for our suppliers or business partners
We collect your first name, last name, job title and other information provided by you or the company you represent.
If you are an employee
Please read our employee privacy policy, which you will be informed about upon hire, and which is available at any time from the Human Resources department.
PERSONAL DATA OF MINORS
We protect the data of children under 16 years of age. If you are under 16 years of age, you must obtain parental or guardian consent to provide personal data.
SPECIAL DATA
The term “special data” refers to the processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, data concerning health, sex life, or sexual orientation.
We generally do not collect special information unless you choose to provide it.
PURPOSE AND REASON FOR PROCESSING YOUR PERSONAL DATA
If you are our customer
In the case of hotel and restaurant reservations, or requests for quotations submitted by you for certain events organized or to be organized.
Purpose: we process your personal data (i) for the purpose of hotel/restaurant reservations (ii) to respond to your requests for quotations.
Justification: necessary for concluding a contract
Check-in
Purpose: we process your personal data for the purpose of registration/reservation at our Hotel.
Justification: Upon check-in, you are required to fill out the arrival and departure registration form, which contains the minimum information required for accommodation, in accordance with the applicable legal provisions.
Customer service (this service includes, among others: cleaning, laundry, etc.)
Purpose: We process your personal data to provide you with the most pleasant experience possible, in accordance with your and the Hotel's expectations.
Justification: Fulfilment of a contract for the provision of hotel services
Profiling
Purpose: To provide a personalized service, we store some of your specific preferences (e.g. whether you prefer rooms on the upper or lower floor, whether you like a particular type of wine, etc.) so that when you return, we know what you like.
Justification: Your consent.
Feedback
Purpose: We process your personal data to ensure that you have a pleasant experience in our facilities.
Justification: It is our legitimate interest to continuously improve the services we offer and to provide services that meet the expectations of our customers.
Marketing
Purpose: We process your personal data for marketing purposes, such as sending you commercial newsletters and marketing communications about new products, services or other offers that we think may be of interest to you.
Justification: To promote our services, we may send you offers that we think may be of interest to you (see section “Your rights”).
Where required by applicable law, we will obtain your consent before processing your personal data for direct marketing purposes. In this case, please note that you can withdraw your consent to the processing for marketing purposes at any time, in which case you will no longer receive marketing communications from us.
We also include an unsubscribe link in our newsletters, which you can use if you do not want us to send you further communications.
We may also take photographs when organising certain events in our hotels and restaurants, and we share some of these online to show others what our events are like. As we value your right to privacy, we always try to ensure that we inform you that photographs are being taken (for objections to photographs, see the section “Your rights”).
Other communications: by email, post, telephone or SMS
Purpose: These communications are made for specific reasons, such as (i) responding to your requests, (ii) if you have not finalized an online booking or request for a quote, we may send you an email to remind you to finalize your booking, (iii) to inform you about how we have handled any complaints and/or incidents that may have arisen during your stay.
Justification: We have a legitimate interest in providing the desired level of service by handling your requests/complaints and ensuring that you are fully available.
Analysis, development and research
Purpose: To continuously improve the quality of our services, we carefully analyse each complaint/suggestion we receive from you, thus generating statistical reports to identify problems and find the best solutions.
Justification: We rely on our legitimate interest to provide services that meet your expectations.
If you are a user of our website www.kukullo.ro
Purpose: we process your personal data to protect the property and persons of the Hotel.
Justification: we have a legitimate interest in ensuring the protection of both the Guests/Hotel property/personnel and the persons within the Hotel.
If you are a visitor to our premises
Purpose: we process your personal data to protect the property and persons of the Hotel.
Justification: we have a legitimate interest in ensuring the protection of both the Guests/Hotel property/personnel and the persons within the Hotel.
If you are a representative or contact of our suppliers or business partners
Purpose: to conduct contractual relations with our suppliers or business partners.
Justification: to fulfil a contract.
If you are a potential employee
Purpose: to evaluate your job application.
Justification: to conclude a contract.
If you are an employee
Please refer to our employee data protection policy, which we provided to you upon recruitment.
For the above categories of persons, we may also process your data for the following activities:
Security
Purpose: we process personal data to protect the security of property and the physical integrity of individuals.
Justification: we rely on our legitimate interest to ensure the protection of your and the hotel's property, as well as the protection of persons staying on the premises of our Hotel.
Legal grounds
Purpose: In certain cases, we need to process the information you provide - which may include personal data - to resolve legal disputes or complaints, investigate and enforce applicable laws, perform an agreement or comply with official requests, provided that such requests meet the conditions set out by law.
Justification: the reason for processing may be a legal obligation (where we have a legal obligation to disclose certain personal data to the authorities) or our legitimate interest in resolving legal disputes and/or complaints.
PERSONS TO WHOM WE SHARE YOUR DATA
To provide you with the expected level of hospitality and high-quality services, we may share your data with our service providers and other third parties as detailed below:
Suppliers: to provide the requested services, in some cases we need to transfer some of your personal data to our partners who are our data processors and process the data on our behalf, on our behalf and in accordance with our instructions (e.g. software providers, IT, accounting, and medical services).
Group Events or Meetings: If you are visiting our Hotel as part of a group or conference, we may share the information requested for planning meetings and events with the organizers of such meetings and events and, where applicable, with the guests organizing or attending the meeting or event.
Business Partners: In some cases, we may partner with other companies to provide you with products, services or offers. For example, we may provide you with optional services related to products that go beyond the products we offer.
Authorities and/or public institutions: (i) in order to comply with legal provisions, (ii) in order to respond to their requests, (iii) in the public interest (e.g. for national security reasons).
The protection of your data is important to us, therefore, as mentioned above, the transfer of personal data will be carried out, where possible, only on the basis of a confidentiality commitment from the recipients, according to which such data will be kept secure and the transfer of such information will be carried out in accordance with applicable laws and guidelines. In any case, we will only transfer to the recipients the information that is strictly necessary to achieve the given purpose.
DO WE COLLECT PERSONAL DATA FROM THIRD PARTIES?
To provide you with the expected level of hospitality and to provide you with the best service, we may collect information about you from our business partners and other third parties as detailed below:
Business partners: for example, card partners, social networking services according to your preferences, travel agencies, event organizers.
We can assure you that we will treat your data collected from third parties under the same conditions as if we had collected it directly from you. We only collect as much as is necessary to achieve our purposes. (see the section “Purposes and reasons”).
DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE THE EU/EEA?
We may transfer your data to certain service providers that are not based in your country of residence or, in some cases, outside the EU/EEA.
Although the data protection laws in these countries may differ from those in your country, we will take reasonable steps to ensure that your personal data is processed in accordance with this Policy and in accordance with applicable laws.
DATA OF OTHER NATURAL PERSONS PROVIDED BY YOU
If you provide us with the data of other natural persons, please inform them in advance of the disclosure and the way in which the data will be processed as described in this Privacy Policy.
HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will retain your personal data for as long as necessary to fulfil the purposes detailed in this policy, unless a longer retention period is required or permitted by applicable law.
We will continuously review whether it is necessary to retain your personal data and, where the processing is no longer necessary and there is no legal obligation to retain the personal data, we will delete/destroy your personal data as soon as possible in a way that makes it no longer retrievable or reconstructable.
YOUR RIGHTS
As a data subject, you have the following rights under the GDPR:
Right of access: You may request from us (i) confirmation as to whether your personal data are being processed and, if so, access to and information about the data, and (ii) a copy of the personal data we hold about you (Article 15 of the GDPR).
Right to rectification: You may inform us of any changes to your personal data or request that we rectify the personal data we hold about you (Article 16 of the GDPR).
Right to erasure (“the right to be forgotten”): In certain situations (for example (i) where the data was collected unlawfully, (ii) the storage period for the data has expired, (iii) you have exercised your right to object, or (iv) the processing was based on consent and you have withdrawn your consent), you may request that we erase your personal data (Article 17 of the GDPR).
Right to restriction of processing: in certain situations (for example, if the accuracy of the data or the lawfulness of the processing is contested), you may request that we restrict the processing of your data for a certain period (Article 18 of the GDPR).
Right to data portability: you may request that we transmit your personal data to a third party or directly to you (Article 20 of the GDPR).
Right to object: in certain situations (for example, processing based on legitimate interests), you may request that we stop processing your data (Article 21 of the GDPR).
If we use your personal data based on your consent, you have the right to withdraw your consent. In this situation, we will no longer process your data, unless we are required by law to store and archive it on the website. In each case, we will inform you if such a legal provision exists and will explicitly indicate this.
LINKS TO OTHER WEBSITES
Please note that we are not responsible for the collection, use, retention, sharing or disclosure of data or information by such third parties. If you use or provide information to third party websites, the terms and conditions and privacy policies of those websites apply. We recommend that you read the privacy policies of the websites you visit before providing any personal information.
COOKIES AND SIMILAR TECHNOLOGIES
Our website uses cookies to improve your experience. You can manage your cookie preferences in your browser settings or in the dedicated section of our website.
QUESTIONS OR COMPLAINTS
If you have any questions or concerns regarding the processing of your personal data or if you wish to exercise any of the rights mentioned above, you can contact us at the following email address office@kukullo.ro and we will respond to you within 30 days of receiving your request.
Furthermore, if you do not have electronic means or do not wish to use them, you can submit a written request to (i) Városháza tér 16, Odorheiu Secuiesc (Harghita county) or (ii) the reception of the Hotel.
If you are not satisfied with the way your request has been handled, you can file a complaint with the National Supervisory Authority.
CHANGES TO THE POLICY
This Policy may be amended from time to time in accordance with changes in data protection legislation or changes in our services or organizational structure. If we make material changes, we will publish a link to the amended policy on the home page of our website. If we make material changes that will affect your rights and freedoms (for example, if we start processing your personal data for purposes other than those listed above), we will contact you before such processing begins.
Last updated: March 20, 2025