Security policy

Terms and conditions

of processing and protection provided at processing of personal data

by the company “ILISTUR” LLC

I. Identity of operator and of persons empowered by operator

1. The company “ILISTUR” LLC IDNO 1020600000627, Chisinau municiplity, 37 Maria Cibotari Street, having established the purposes and means of processing personal data, hereinafter referred to as (Operator of data).

II.  Legal regime and jurisdiction

2. The following legal provisions are applied to the processing of personal data:

a) Law No. 353/2006 on organization and conduct of tourism activity in the Republic of Moldova (;

b) Law No. 1069/2000 on computer science (;

c) Law No. 105/2003 on consumer protection  (;

d) Law No. 71/2007 on registers (

e) Law No. 133/2011 on protection of personal data (

3. The company „ILISTUR” LLC is the subject of the legislation of the Republic of Moldova.

4. The storage of personal data of consumers is performed on servers located in the Republic of Moldova.

III. Record systems and processing manner

5. Manner of collection of personal data:

Directly from data subjects:

a) By filling in the questionnaires via internet/online (when it is requested the reservation of tourist services (treatment and rest tickets in resorts);

b) By manual filling in the contract or questionnaire by means of which it is requested or refused a service (initiation of a business relationship), by the written correspondence.

c) Face-to-face interviews;

d) Examination of presented documents (copies);

e) By telephone.

Indirectly from data subjects through:

a) Received/transmitted by third parties (in case of payment for services by bank transfers).

6. In all cases of collection of personal data, they are processed by the operator of data within its security perimeter, being taken the organizational and technical measures necessary for the assurance of an adequate level of protection of personal data. The mechanism of the assurance of the protection of personal data being established in the Security policy at the processing of personal data of the company, including in the adjoining regulations and instructions describing the processes and measures of protection.

7. The organizational and technical measures provided by the operator of data were evaluated by the National Centre for Personal Data Protection in terms of their compliance.

IV. Purpose, legal basis and categories of processed personal data

8. The purpose of the processing of information containing the personal data in the record system of the contractual beneficiaries consists in:

a) Provision of tourism services (legal basis – the actions necessary for the conclusion and/or execution of a contract).

b) Statistical – the legal basis being the legal obligation provided by the Law No. 93/2017;

c) Commercial prospecting/direct marketing – the legal basis being the consent of the data subject.

9. The operator of personal data processes the following categories of personal data of clients:

9.1. At the initiation of a business relationship for the purpose of the conclusion of the contract:

a) Surname, name

b) Mobile/fixed telephone number and/or email address;

c) Visit period and contracted services;

d) Additional details: selection of utilities, additional preferences, etc.

e) IDNP;

f) Domicile address;

c) Bank details;

h) Additional details: selection of utilities, additional preferences, etc

i) Other data necessary for the conduct of the initiated legal reports.

  1. 9.1.1. The refusal of the data subject to provide the categories of data established in the let. a) - e) of the p. 9.1 or the indication of untrue or erroneous information to the operator of data, leads to the impossibility of the initiation and conduct of the business relations with the client

9.1.2. The personal data specified in the p. 9.1 will be processed by the operator of data for the entire period of the contractual relationship, except for the situations of their update or deletion in accordance with the law. After the termination of the contract, the concerned personal data will be kept in the form of the archive document for a term of 6 years, unless otherwise provided by law.

9.2. On the basis of the consent of the data subject, for commercial prospecting and direct marketing as well as the provision of advertising messages, such as:

a) Surname and name;

b) Telephone number;

c) Email address.

9.2.1.The subject of personal data has the right to withdraw at any time the consent for the processing of the categories of personal data mentioned in the p.9.2.

9.2.2. Withdrawal of consent for the processing of personal data for the purposes specified in the p. 8.2 does not affect in any way the basic object of the provision of tourism services.

9.2.3. The application regarding the withdrawal of the consent does not need to be motivated and can be submitted by the data subject from the email address indicated by him/her in the contract, to the email address or to the legal address of the company Chisinau municipality, 37 Maria Cibotari.

9.3. The operator of data may also process other identifiers of the data subject in case in which they will be recorded/exposed by the data subject: by the written or electronic requests or communications, verbal presentations at the seat of the company or by telephone or other means.

V. Recipients of personal data

10. The operator may disclose the personal data to the following recipients:

a) Contractual partners;

b) Data subject or his/her legal representative;

c) Tax and supervisory or control authorities;

11. Transmission to other third parties is prohibited.

VI. The rights of personal data subjects

12. Right to information – consists in the right to be informed before the collection and processing of personal data about the identity of the operator, the purpose for which it is performed the processing of data, recipients or categories of recipients of data, existence of rights stipulated by the Law on protection of personal data as well as the conditions under which they may be exercised.

13. Right to access to data – consists in the right to obtain from the operator on the basis of a request, confirmation/refutation of whether or not personal data concerning him/her were processed, information on the purposes and categories of processed data, recipients or categories of recipients whom the data are disclosed, the manner in which it is performed the automated data processing, the legal consequences generated by the data processing for the data subject and the manner of the exercise of the right to intervention in personal data.

14. Right to intervention – consists in the obtainment on the basis of a request, rectification, update, blocking, deletion or transformation into anonymous data of the information the processing of which does not comply with the requirements of the Law on protection of personal data, in particular of the incomplete or inaccurate data.

15. Right to opposition – consists in the right to oppose at any time, for reasonable and legitimate reasons related to his/her particular situation, that the data concerning him/her to be the object of the processing, except for the cases in which there are legal provisions that provide otherwise.

16. Right not to be subject to an individual decision – consists in the possibility to request and to obtain the withdrawal, annulment or of any decision that produces the legal effects on the data subject that was adopted exclusively on the basis of an automated processing intended to assess some aspects of his/her personality, such as the professional competence, credibility, behaviour or other similar aspects.

VII. Right to complain to the Supervisory Authority

17. Personal data subjects who consider that the processing of their data does not comply with the requirements of the personal data protection legislation may submit a complaint to the National Centre for Personal Data Protection within 30 days from the time of detection of the breach (mun. Chisinau, str. Serghei Lazo 48, email -, 0037322 811 807).

VIII. Contact details of the person responsible for the protection of personal data

18. In accordance with Art. 25 of Law No 133/2011 on the protection of personal data and para. 37 para. (6) of the GDPR, Mr. Sergiu BOZIANU, director of the company ,,Privacy by Default" SRL,, is designated as personal data protection officer under the service agreement.

IX. Notification on cookies

19. Cookie is the information that is collected at the accessing of the website, in order to identify the user that accessed certain information content. This is generated by our server and the computer on which your browser operates. The information contained in the cookie is set by the server and may be used by that server whenever the user visits the website. A cookie can be considered as an identity card of the internet user, which indicates to a website when the user returned. Similar technologies are also applicable for mobile devices (tablet, smartphone) from which the information is accessed on the respective web page.

20. The use of cookies allows us to offer you certain functions and provides us with the information about the visits to the website or the use of our applications. Most browsers are automatically set to provide cookies, but you are not required to accept them. If you wish to delete cookies that are already on your computer or object to the collection and disclosure of this information, you may access the guides of the producers of the browser at the following addresses:



Book now