Have you noticed that our website uses personal data?
The truth is that most websites today collect personal data from their users in one form or another. This means that the GDPR applies to the use of a website, particularly where the data subject chooses to communicate a certain set of personal data to the data controller or to the website owner.
The reason you are seeing this document is to inform you honestly and transparently about how we will process your personal data.
Read this document to find out how Exact Tours processes your personal data.
The data controller, Exact Tours, undertakes to process your personal data lawfully, fairly, and transparently; to observe the principle of storage limitation; and to retain personal data only for clearly defined periods of time. Exact Tours will not process personal data relating to data subjects for an unlimited or indefinite period.
Exact Tours makes a firm commitment to respect your rights regarding the protection of personal data. We will respect the fundamental rights and freedoms of data subjects with regard to the protection of personal data.
Exact Tours has also implemented appropriate technical and organisational measures to ensure an adequate level of security for personal data, and has put in place security measures to protect personal data relating to data subjects, including the personal data of clients.
You'll remember we said we'd avoid technical or legal jargon specific to personal data protection. We've tried to use familiar words and vocabulary wherever possible, but in some circumstances we may need to use specific legal terms (occasionally and sparingly).
The GDPR requires us to provide a glossary explaining each unfamiliar term used in this document. The table below explains each term specific to the legal jargon or specialist language of personal data protection:
TermExplanation
User
The person who browses our website or who registers on our website by creating a user account.
Data subject
The person to whom the personal data refers — the key data subject, or the person whose personal data is processed.
Personal data
Any information that contributes to identifying a natural person, such as: first name, surname, personal identification number, ID series and number, signature, eye colour, income, financial situation, email address, telephone number, etc.
Processing
An operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means — such as collection, recording, organisation, structuring, consultation, adaptation or modification, retrieval, alignment or combination, use, recovery, disclosure by transmission, dissemination, restriction, making available by any other means, erasure, or destruction.
Controller
The company or public authority that determines how your personal data will be used.
Processor
The company or public authority that uses personal data on behalf of another entity, and for purposes established by the entity on whose behalf it is acting.
Consent
When you give your agreement to the use of personal data concerning you by ticking a box that has not been pre-ticked.
Recipient
The natural or legal person, public authority, agency, or other body to which personal data may be communicated. However, public authorities to whom personal data are communicated as part of an investigation, under EU or national law, are not considered to be recipients of personal data.
Competent supervisory authority
The public authority established at the level of the Romanian state which monitors compliance with the GDPR by companies and public institutions in Romania.
Automated individual decision-making
The capacity to make decisions through technological means without meaningful human intervention. It also refers to the systematic and comprehensive evaluation of personal aspects relating to the data subject — such as performance at work, reliability, behaviour, health, financial situation, location data, or movements.
Data Protection Officer
The person you can contact regarding all matters relating to personal data protection and the exercise of your rights regarding personal data protection.
Legal basis
The legal grounds we will use to process your personal data lawfully.
Personal data breach
A breach of personal data security leading to unauthorised or unlawful alteration of personal data, unauthorised access to personal data, or accidental or unlawful loss of access to personal data relating to data subjects. Also known as a security incident or security breach.
Data protection rights
You have the right to obtain a copy of your personal data, update inaccurate information, erase your personal data, object to direct marketing, transfer your personal data to another company, not be subject to a decision based solely on automated processing, and restrict the future processing of your personal data.
Restriction of processing
The right to require the data controller to mark your personal data in order to limit its future processing. Your personal data may then only be stored by our company, for example (where the right to restriction of processing applies).
Do you need to know who will process your personal data? Find our company identification and contact details below.
The controller of your personal data is EXACT TOURS SRL, sole registration code 11149327, Trade Register number J40/9951/1998, registered office at Strada Ghiocei nr. 2, Sector 2, Bucharest, Romania.
Exact Tours, as data controller, may establish the purposes and means of processing personal data. In addition, Exact Tours may establish the most important elements relating to the processing of personal data and will have autonomy in deciding how personal data relating to you and other data subjects will be processed.
The contact details of the data controller are as follows:
Our company acts as data controller. This means that we will process personal data concerning you on the basis of determined, explicit, and legitimate purposes that we have established. The data controller determines the purposes and means of processing personal data and also establishes the security measures it will implement to ensure an adequate level of security for personal data.
The natural persons from whom we collect personal data are: persons who complete the contact form or booking form available on the company website, and persons who subscribe to the newsletter. These are the persons from whom the data controller may collect personal data. The data controller wishes to emphasise that it will only collect personal data where necessary and proportionate.
Exact Tours has minimised the personal data it collects from data subjects and collects only the minimum set of personal data necessary. Exact Tours will not collect personal data that is not necessary.
The data controller wishes to emphasise that it will collect the following personal data from data subjects:
Persons whose personal data we useCategories of personal data processed
Persons who complete the contact form
Billing-related data: first name, surname, telephone, email address, comment, and order view. Exact Tours also collects any other personal data that may be communicated by the data subject via the "Your Comment" field — your comments or observations. The data controller notes that data subjects may enter any kind of information in this form field.
Persons who complete the booking form for a tourism package
Name, telephone, email, and message. The data subject may communicate any personal data or information they wish via the message field.
Persons who subscribe to the newsletter
Only the email addresses of data subjects who subscribe to the newsletter will be collected.
Important: we inform you of the purposes and the legal basis we will use to lawfully process your personal data. Exact Tours has an obligation to inform you of the purposes it intends to achieve when collecting or processing personal data, and will always select an appropriate legal basis on which to rely.
The data controller has an obligation to choose a legal basis it will use to lawfully process personal data. Moreover, the data controller will only process personal data necessary to achieve the purposes for which the data was collected or processed. The data controller will not extend or broaden the purposes for which it processes personal data to become incompatible with the original purposes of processing. The data controller will not process data based on general purposes, but only on determined, explicit, and legitimate ones.
PurposeLegal basis
Making a booking on the travel agency's website
Personal data relating to data subjects will be processed under Article 6(1)(b) and (a) GDPR. Exact Tours will process personal data for the performance of a contract to which the data subject is party, and also on the basis of the consent given by the data subject. Processing is therefore based on two legal grounds.
Completion of the contact form available on the site
Personal data relating to data subjects will be processed under Article 6(1)(a) and (b) GDPR.
Sending newsletters
Exact Tours will process personal data under Article 6(1)(a) GDPR. Personal data will be processed only if data subjects have given their consent to the processing of their personal data for one or more specific purposes.
Issuing a tax invoice if the booking made by the data subject on our site is confirmed
Exact Tours will process personal data under Article 6(1)(c) GDPR. The processing is carried out in the context of fulfilling a legal obligation. Personal data is processed in order to fulfil legal obligations, as provided in Article 6(1)(a) and (c) GDPR.
Did you know that you can withdraw your consent given for the use of personal data concerning you?
You may withdraw your consent regarding the processing of personal data concerning you. Exact Tours allows data subjects to withdraw the consent they have given for the processing of personal data.
To withdraw consent, data subjects must send an email to the data controller at: gdpr@exact-travel.ro. The Data Protection Officer will respond to or fulfil all requests submitted by data subjects regarding the withdrawal of consent.
Withdrawal of consent will result in the deletion of personal data relating to data subjects.
Important: the data controller wishes to emphasise that where there is another legal basis requiring the retention of personal data relating to data subjects, it will not delete personal data even if the right to withdraw consent is exercised. In accordance with Article 7(3) GDPR, data subjects have the right to withdraw their consent as easily as it was given. Consent was given in this case in electronic form and will also be withdrawn in electronic form.
The data controller maintains a list of all recipients or categories of recipients of personal data. The data controller will assess whether all recipients of personal data have an appropriate legal basis on which to rely for the processing of personal data, and will always verify that there is a legal basis on which to communicate or disclose personal data by transmission.
The data controller will maintain an up-to-date list of recipients or categories of recipients of personal data. The data controller may disclose by transmission the personal data collected via the website to the following recipients:
RecipientPersonal data transferredLocationReason for transfer
Hosting service provider
All sets or groups of personal data collected via the website
Romania
Processing is necessary so that the data controller can store personal data relating to data subjects. Personal data is processed for the performance of a contract and on the basis of consent given by the data subject.
Newsletter service provider
Email addresses of data subjects who subscribe to the newsletter
United States of America
The reason for the transfer relates to subscription to the data controller's company newsletter. The legal bases the data controller uses to lawfully transfer personal data are the Standard Contractual Clauses and the consent given by the data subject for the processing of personal data concerning them for one or more specific purposes.
These recipients of personal data are processors. This means that our company has delegated these companies to carry out processing activities on its behalf. The processors will fully comply with the documented instructions received from the data controller regarding the processing of personal data, and will process personal data only on the basis of the determined, explicit, and legitimate purposes established by the data controller. The data controller notes that processors may only establish the appropriate technical and organisational measures they will implement to ensure an appropriate level of security for personal data.
The data controller only transfers personal data collected via the newsletter outside the European Union or the European Economic Area, namely to the United States of America.
Personal data collected via the forms available on the site will not leave the country in which it was collected.
The data controller will enter into a controller–processor agreement with the hosting service provider. With the newsletter service provider, the data controller will enter into Standard Contractual Clauses. The Standard Contractual Clauses are a transfer instrument approved by the European Commission. The data controller notes that, through the Standard Contractual Clauses, it is attested that a transfer of personal data outside the European Union and the European Economic Area ensures a level of protection essentially equivalent to that guaranteed by Union law.
The data controller wishes to emphasise that processors will respect the fundamental rights and freedoms of data subjects and will ensure appropriate security of personal data.
Exact Tours will retain personal data relating to data subjects only for the period necessary to achieve the purposes for which the personal data was collected or processed. The data controller has limited the period of retention or storage of personal data and will not retain personal data for an unlimited period.
In accordance with the principle of storage limitation, personal data must be stored or retained only for the period necessary to fulfil the purposes for which the personal data was collected or processed.
The retention periods are as follows:
Personal data processedRetention period
Personal data collected via the forms on the website
The data controller will retain personal data collected via the company website for a maximum period of 3 years. This retention period has been internally established so that the data controller does not retain personal data for an unlimited or indefinite period. After this period, personal data relating to data subjects will be permanently deleted. The personal data will be irreversibly erased and destroyed, and recovery will not be possible.
Personal data relating to beneficiaries necessary for the purpose of issuing a tax invoice
Personal data relating to data subjects will be retained for a period of 5 years. This limitation period is provided for in Accounting Law No. 82/1991, republished and updated, with subsequent modifications and additions; the Fiscal Procedure Code; and Order of the Minister of Public Finance No. 2634/2015 on the retention of financial and accounting documents.
Personal data necessary for the booking of a tourism package
The data controller will retain personal data collected via the company website for a maximum period of 3 years. This retention period has been internally established so that the data controller does not retain personal data for an unlimited or indefinite period. After this period, personal data relating to data subjects will be permanently deleted. The personal data will be irreversibly erased and destroyed, and recovery will not be possible.
Personal data relating to data subjects will be retained only in electronic form, via data storage assets, and in accordance with the limitation period (where one exists). Where no period of storage or retention of personal data has been established, the data controller will establish the retention period internally to limit the period for which personal data is stored or processed.
Exact Tours informs data subjects of the rights they have under the GDPR. The data controller makes data subjects aware that they have rights regarding personal data.
The data protection rights of data subjects are fundamental rights. The data controller wishes to emphasise that data subjects' data protection rights provide them with a higher degree of control over the processing of their personal data by companies.
The 9 data protection rights you have under the GDPR are set out below:
RightExplanation
Right of access
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and where that is the case, the right to access the information provided in Article 15(1)(a)–(h) and Article 15(2) GDPR, and to obtain a copy of the primary and secondary personal data that we process in relation to you. The right of access to personal data is one of the most important data protection rights and has been enshrined since 1973. The right of access means that you can receive a copy of the personal data concerning you.
Right to rectification
You have the right to obtain, without undue delay, the correction or updating of inaccurate personal data concerning you. In practice, you will be able to keep your personal data up to date and provide us only with correct information regarding your personal data. Rectification of personal data concerning you can also be obtained by updating the information in your user account.
Right to erasure
You have the right to obtain, without undue delay, the erasure of personal data concerning you, and our company has the obligation to erase personal data concerning you without undue delay, where the conditions in Article 17(1)(a)–(f) GDPR apply. You may also exercise your right to erasure of personal data by deleting your user account or by deactivating it. Where you exercise the right to erasure of personal data, and we have an obligation under domestic law to retain certain personal data concerning you, we will not erase that data.
Right to object to processing
You have the right to object to the processing of personal data concerning you where the processing is necessary for the performance of a task carried out in the public interest, or for the purposes of the legitimate interests pursued by the controller or by a third party. Where we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you. The right to object to processing carried out for direct marketing purposes is an absolute right.
Right not to be subject to automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated means, including profiling. Profiling means processing carried out by automated means involving the systematic and comprehensive evaluation of personal aspects — such as performance at work, reliability, health, financial situation, movements, or location data.
Right to lodge a complaint with a competent supervisory authority
If you wish to lodge a complaint with the data protection authority, you have this right in accordance with Article 77 GDPR. You may lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) via the official ANSPDCP website.
Right to a judicial remedy
Under Article 79 GDPR, you have the right to bring a judicial action or to address a judicial body acting in the exercise of its jurisdictional function if you consider that your rights regarding personal data protection and respect for private and family life have been infringed — as established in particular by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, and by Article 16 of the Treaty on the Functioning of the European Union.
We have 30 days to fulfil or resolve your request submitted under any of Articles 15–22 GDPR. If we have a large volume of requests or complex requests to handle, this period may be extended by a maximum of two months.
If we extend the period in which we will resolve or fulfil your request, we will inform you of this and of the reason for the delay.
The person who will resolve or fulfil your request is the Data Protection Officer.
If you submit a request regarding the exercise of one of your data protection rights in electronic form, the information will also be provided to you in electronic form — unless you expressly request another format in which your personal data or information should be provided.
The data controller notes that the hosting service provider has implemented appropriate technical and organisational protection measures to ensure an appropriate level of security for personal data. The hosting service provider has implemented the following security measures:
MeasureHow the measure protects personal data
Training of personnel authorised to access personal data, regarding best practices in personal data protection and information security and cybersecurity requirements
Ensures the confidentiality, availability, and integrity of personal data
Encryption of personal data stored on the hosting service provider's server, using state-of-the-art encryption technology
Ensures, in particular, the confidentiality and integrity of personal data relating to data subjects and of the information stored on the web server
Integration of an SSL certificate at the level of our web server to ensure an encrypted connection between the user's web browser and our web server
Ensures, in particular, the confidentiality and integrity of information transmitted between the web server and a web browser
A secure, tested, efficient, and appropriate procedure for maintaining adequate backup of personal data
Ensures, in particular, the availability of personal data
Backup carried out via the Acronis server. Backups are stored on a separate server from operational data, and are performed daily
Ensures, in particular, the availability of personal data
A disaster response and data recovery plan in the event of a personal data security breach
Ensures the availability of personal data
An appropriate, efficient, integrated, and up-to-date intrusion detection and prevention system
Ensures the availability, integrity, and confidentiality of personal data
An appropriate, efficient, integrated, and up-to-date anti-malware system
Ensures the availability, confidentiality, and integrity of information and personal data
An efficient, integrated, and up-to-date firewall
Ensures the confidentiality, integrity, and availability of personal data
The processor maintains an appropriate, efficient, integrated, and up-to-date system to protect servers against DOS and DDOS attacks
Ensures the availability of our website
Operational procedures regarding the collection, storage, and disclosure of information that may lead to the identification of data subjects
Ensures the confidentiality, integrity, and availability of personal data
Implementation of physical, electronic, and software measures, or appropriate technical and organisational protection measures
Ensures the confidentiality, integrity, and availability of personal data
Strict physical, logical, and technological controls limiting access to the data centre held by the processor — restricted to persons with a real need based on their role
Ensures the confidentiality, integrity, and availability of personal data
The server provided by the hosting service provider offers guaranteed 100% uptime
Ensures the availability of personal data
Automated protection against vulnerabilities
Ensures confidentiality, integrity, and availability
Installation of antivirus software to protect the server against vulnerabilities and risks in a digitalised environment
Ensures confidentiality, integrity, and availability
The data controller undertakes to provide prior information to all users of its website regarding any substantial modification of the content of this privacy notice. All substantial modifications made to this document will be documented and noted in chronological order within this document.
An essential point to know regarding the modification of the privacy notice is that the GDPR obliges us to inform you before making any modification to the content of this document. The GDPR obliges us to use an appropriate means of communication to inform you that we intend to make substantial modifications to this document.
In this case, we will notify you if we intend to make modifications regarding relevant aspects of processing — and, by extension, regarding this document — by publishing an information notice on our website indicating that we intend to update our privacy notice.
Our company will notify data subjects of any substantial modification of the content of this document, or of the circumstances or nature of the processing activity we carry out where it has a substantial impact on data subjects. We will inform you of our intention to modify the content of this document well in advance of the modifications taking place and being implemented. This way, you, as a data subject, will be able to understand the impact and nature of the modifications we intend to make. If you do not agree with the substantial modifications, you may exercise your right to object to processing or your right to withdraw your consent for the processing of personal data concerning you for one or more specific purposes.
Finally, you should know that the correction of spelling or grammatical errors does not, in itself, constitute a substantial modification to the content of this document.
If we modify or correct typographical errors, or make changes to the way information is arranged or presented to our users, we will not inform you that we have updated the privacy notice, as this should not be interpreted as a substantial modification of the document.
If you are a long-standing user of our website and wish to see the substantial modifications made to this document over time, you may consult previous versions of the privacy notice — which will be made available below as PDF files. Modifications made to the privacy notice will be highlighted in yellow, to clearly indicate the substantial changes the document has undergone over time.
Why have we created this section? Its role is to reinforce the relationship of transparency we wish to build with our users. Through this section, we intend to give our long-standing users the opportunity to see whether we have made substantial modifications to the circumstances and nature of the processing activity we carry out over time.
The data controller has appointed a Data Protection Officer who safeguards your fundamental rights and freedoms regarding personal data protection and respect for private and family life.
Don't know what the concept of Data Protection Officer means? We know what it's like to be confused by these legal terms — we've been in your shoes. The most important thing to know is that the Data Protection Officer is the person who helps our company comply with the GDPR and appropriately protect personal data relating to data subjects (including your personal data).
We want you to understand all the information we provide, and we therefore offer additional information or explanations where appropriate. We like to communicate as clearly as possible with all our users, using appropriate, clear, explicit, and simple language when explaining what we will do with your personal data.
Our company has appointed a Data Protection Officer on the basis of a service contract. This means that we have delegated matters relating to personal data protection to a firm that helps us respect your data protection rights.
The Data Protection Officer resolves and fulfils all requests submitted under Articles 15–22 GDPR and provides additional information, where appropriate, regarding the occurrence of a personal data security breach. You may also contact the Data Protection Officer if you wish to obtain additional information about how we use your personal data.
The Data Protection Officer may be contacted by you regarding any matter relating to personal data protection and the exercise of your data protection rights.
The Data Protection Officer provides consultancy and assistance to our company so that we can keep your personal data secure, fulfil our obligations as a data controller under the GDPR, and communicate as efficiently and transparently as possible with you about what we will do with your personal data.
Contact details of our Data Protection Officer: