1. Policy’s purpose, basic concepts
This Personal Data Protection Policy (hereinafter referred to as – the Policy) is to confirm that AB “Lytagra” (hereinafter referred to as – the Company) acknowledges that personal data protection is important to you - our clients and other data subjects (hereinafter referred to as - Data Subjects) and is committed to respect and protect each data subject's privacy. The data subjects trust their personal information to us and we are responsible for meeting their expectations every day of our work.
When we process personal data of data subjects, we comply with the General Data Protection Regulation of the European Parliament and of the Council, the Law of the Republic of Lithuania on the Legal Protection of Personal Data, the Law of the Republic of Lithuania on Electronic Communications and other directly applicable legal acts regulating the protection of personal data, as well as the instructions of the relevant authorities.
1.1. The main concepts used in the policy are as follows:
1.1.1. Data subject means a natural person whose data is processed by the Company;
1.1.2. Personal data means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as an identification number, or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person;
1.1.3. Personal data processing means any operation which is performed on personal data, such as collection, recording, accumulation, storage, classification, grouping, unification, alteration (addition or correction), provision, publication, use, logical and (or) arithmetic operations, searching, disclosure, erasure or other action or set of actions;
1.1.4. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, including those committed with electronic means, or oral statement, signifies agreement to the processing of personal data relating to him or her. Silence, fields marked in advance or omission to act shall not be deemed to be consent;
1.1.5. Data controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this Policy, the data controller is the Company;
1.1.6. Data processor means a legal or natural person (who is not the data controller‘s employee) authorised by the data controller to process the personal data;
1.1.7. Employee means the person who has entered into the employment or other similar contract with the Company;1.1.8. Supervising authority means the State Data Protection Inspectorate;
1.1.9. Direct marketing means the activity intended to offer, either by phone or other direct way, goods or services to persons and (or) inquire about their opinion on the goods or services offered;
1.1.10. Company‘s website – www.lytagra.lt;
1.1.11. General Data Protection Regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
1.1.12. The other concepts used in these Rules are consistent with the concepts provided for in the General Data Protection Regulation and the Law of the Republic of Lithuania on the Legal Protection of Personal Data.
1.2. This Policy is aimed at making it easier for the data subjects to exercise their rights.
1.3. This Policy also applies to the protection of personal data of other data subjects (i.e., non-clients and non-employees) whose personal data are processed or will be processed in the future.
1.4. Personal data processed by the Company are accurate, relevant and the Company processes them only to the extent that is necessary for them to be collected and further processed. Where it is required for personal data processing purposes, the personal data shall be updated on a constant basis.
1.5. Personal data can be collected on the website:
1.5.1. To provide the company’s services (processing, administration of the services’ order, loyalty discounting), customer identification in the Company's information system, customer identification by logging in to their accounts on the Company's website, issuing invoices and other financial documents;
1.5.2. With the consent of the data subject, for direct marketing purposes.
1.6. The Company manages the following personal data for the purposes specified in para 1.5 of the Policy: name, surname, e-mail address, address, telephone number.
1.7. The legal basis for the processing of personal data referred to in para 1.5.1. hereof is the Company's obligation to execute the agreement concluded with the data subject and / or at the request (order) of the data subject to take actions to conclude the agreement.
1.8. The legal basis for the processing of the data referred to in para 1.5.2 hereof is the consent of the data subject.
1.9. Where personal data are processed for direct marketing purposes, the data subject has the right to refuse such personal data processing free of charge by cancelling his consent at any time.
2. Personal data processing
2.1. Only the employees shall be entitled to process the personal data of the clients in the Company, including their transfer to third parties provided for in para 2.2 of the Policy. Each employee is required to protect the confidentiality of personal data of a client and to comply with the requirements of the legal acts on the personal data protection and these Rules.
2.2. In the performance of the services contracts made by the Company, the personal data of the Clients may be transferred only to the Company's partners acting on behalf of the Company as the data processors who provide delivery services and other services related to the execution of the services contract (personal data are disclosed only to the extent necessary for the provision of the relevant services). The personal data of the clients may only be provided to those data processors with whom the Company has signed agreements containing provisions on the transfer / provision of personal data and if the data processor ensures the protection of the personal data that is required by the General Data Protection Regulation. In all other cases, the personal data of clients may be disclosed to third parties only in the cases and according to the procedure established in the legal acts of the Republic of Lithuania.
2.3. The Company complies with the confidentiality principle and keeps in secret any information relating to personal data which it became familiar with in the performance of its duties, unless such information is public in accordance with the provisions of the applicable laws or other legal acts.
2.4. Personal data processing deadline: personal data are processed until they become redundant for the purpose of their processing:
2.4.1. Clients‘ personal data that are collected and processed for the Company to provide its services (para 1.5.1) are processed for a maximum period of 10 years after the last execution of the order (purchase);2.4.2. Clients’ personal data that are processed for the direct marketing purposes referred to in para 1.5.2 are processed no more than until opting out (withdrawing) from receiving the advertising consent.2.5. When personal data are no longer needed for the purposes of their processing, they must be erased, except those data that must be transferred to state archives in the cases provided for in the laws.
2.6. The personal data protection is organized, guaranteed and carried out by an employee authorized by the Company.
3. The rights of the data subject and the procedure for their implementation
3.1. Rights of the data subject;
3.1.1. know (to be informed) about the processing of his or her personal data in the Company;
3.1.2. get acquainted with his or her personal data processed by the Company and how they are processed;
3.1.3. refuse processing of his or her personal data;
3.1.4. request correcting, adjusting or adding of incorrect or incomplete personal data, deleting his or her personal data or stopping the processing of his or her personal data, save for storage;
3.1.5. require the deletion of data ("the right to be forgotten"). This right is valid on one of the following grounds:
220.127.116.11. personal data are no longer needed to achieve the purposes for which the data were collected or otherwise processed;
18.104.22.168. the data subject cancels the consent which the processing was based on and there is no other legitimate basis for processing the data;
22.214.171.124. personal data was processed unlawfully;
126.96.36.199. personal data must be erased in accordance with the legal obligation imposed by the European Union’s or national law;
3.1.6. the right to data portability: the data subject has the right to receive personal data relating to him or her that he or she provided to the controller in a systematic, commonly used and computer-readable format and has the right to transfer that data to another data controller and the controller to whom the personal data has been submitted should not create obstacles to that when:
188.8.131.52. data processing is based on consent or contract;
184.108.40.206. data are processed by automated means.
3.2. The data subject has the right to submit a complaint to the supervisory authority regarding the allegedly unlawful processing of his or her personal data.
3.3. The data subject has the right to authorize a non-profit institution, organization or association which is properly established in accordance with the law of the Republic of Lithuania, which objectives established in its articles of association are consistent with the public interest and which operates in the sphere of protecting the rights and freedoms of data subjects as regards the protection of their personal data to file on his or her behalf a complaint and to exercise on his or her behalf certain rights under the General Data Protection Regulation.
3.4. Procedure for the implementation of data subject rights:
3.4.1. a person seeking to implement the rights specified in para 3.1. must submit a written request to the Company (in person, by post, through a representative, or by electronic means of communication). The application must be legible and signed by the person; the application must contain the following information: person’s name, surname, place of residence, data for maintaining contacts and information on which of the above rights and to what extent he or she wishes to exercise;
3.4.2. When submitting an application, the person must confirm his identity:
220.127.116.11. if the application is submitted upon the direct arrival to the Company - to provide a personal identification document or a copy certified in accordance with the procedure established by the legal acts of the Republic of Lithuania;
18.104.22.168. if the application is submitted by mail - to provide a copy of a person's identity document approved in accordance with the procedure established in the legal acts of the Republic of Lithuania;
22.214.171.124. if the application is filed through a representative - submit a document confirming the representation;
126.96.36.199. if the application is submitted by electronic means of communication - to sign with electronic signature;
3.4.3. the right of the data subject to refuse processing his or her personal data for direct marketing purposes is exercised by way of data subject’s informing about his or her refusal by Company’s e-mail and providing information about all his or her accounts created on the Company's website;
3.4.4. if the data subject has an account on the Company's website, he or she may view and edit his or her personal information provided on the Company's website by visiting his or her account in the contact details. The data subject may, through his or her account on the Company's website, exercise his right to object to the processing of his or her personal data for direct marketing purposes.
3.5. The applications specified in clause 3.4.1 of this Policy are considered by an authorized person of the Company. The application is examined and the response to the person is submitted no later than within 30 days from the date of receipt of the application.
3.6. When submitting applications in accordance with para 3.4.1., the data subject should not manifestly abuse his or her rights. In the event the data subject abuses his or her right (for example, applies to the Company for information about the processing of his or her personal data more than once every six months), the Company has the right to demand that the data subject refund the administrative costs associated with the execution of such applications.
3.7. To the data subject's refusal to process his personal data for direct marketing purposes, the Company shall respond promptly, within the shortest possible time not exceeding 72 hours. The Company’s employees responsible for the data protection must ensure that the personal data are not further processed for direct marketing purposes.
4. Cookies and their use
4.2. When using the website, the client accepts the Company-applied procedure of using of cookies and is able to choose whether to accept cookies or not. If you disagree with the cookies to be downloaded to your computer or other end device, you may change your web-browser settings and turn off all the cookies or turn them on / off one by one. However, please note that in some cases this may slow down the speed of browsing the web, limit the functionality of certain websites or block access to the website. For more details, please visit www.allaboutCookies.org or www.google.com/privacy_ads.html.
4.3. The information we collect using cookies is used for the following purposes:
4.3.1. Using of functional cookies and providing of services. Cookies are very important for the operation of our website and electronic services, and they ensure the smooth experience of their use for the consumer. For example, if the user so requests, he does not need to enter his name, surname, password or other data every time he logs in.
4.3.2. Service development. By monitoring the use of the cookies, we can improve the functioning of our website and electronic services. We receive information, for example, about which parts of our website are the most popular ones, which websites the users visit from our website, from which websites they visit our website and how much time they spend on our website.
4.3.4. Targeted marketing orientation. The Company, by using cookies, may collect information to provide advertising or content intended for a specific browser with a view to create different target groups.
5. Personal data safety
5.1. The Company implements organizational and technical means to protect the personal data against accidental or unlawful destruction, alteration, disclosure and any other unlawful processing.
5.2. The personal data security infringements, if detected, shall by immediately removed by the Company.
5.3. The Company’s employees respect the principle of confidentiality, as provided for in para 2.3 of the Policy.
5.4. The antivirus software in the Company's computers must be updated on a constant basis.
5.5 In case of infringement of Personal Data Safety, the Company, without unreasonable delay (if possible, within 72 hours from the time it became aware of the personal data infringement), shall inform the supervisory authority to this effect, unless the personal data infringement does not jeopardize the rights and freedoms of natural persons. If the personal data infringement is not communicated to the supervisory authority within 72 hours, the reasons for the delay shall be attached to the notice.5.6. Where the infringement of personal data safety may seriously jeopardize the rights and freedoms of natural persons, the Company, without unreasonable delay, shall inform the data subjects about the infringement of personal data safety.
6.1. The data subject is obliged to provide the Company with his or her complete and correct personal data and to inform it about the relevant changes in his or her personal data.
6.2. The Company has no possibility to fully guarantee that the Company's website will function without any interruptions and that it will be completely protected against viruses. Under no circumstances shall the Company be liable for direct or indirect damages related to the use of the materials or documents available on the Company's website. The data subject is aware that any material that the data subject reads, downloads or otherwise receives as a result of using the Company's website is obtained solely at the discretion and risk of the data subject, for which reason the data subject is liable for the damage done to the data subject himself/herself or his/her computer system.
6.3. Unless indicated otherwise, the intellectual property rights (including copyrights) to the content and information on the Company's website belong to the Company. In addition to the prior written consent of the Company, it is prohibited to reproduce, translate, adapt or otherwise use any part of the Company's website. It is prohibited to perform any other actions that infringe or may infringe the Company's intellectual property rights to the website and that are inconsistent with fair competition.
7. Final provisions
7.1. This Policy shall be renewed no less than once in two years or upon changing of legal acts regulating the protection of personal data.
7.2. The Policy is publically announced on the Company’s website. The Company’s clients shall be familiarized with this Policy by electronic means.
7.3. Data subjects, as regards any of the Policy-related issues they are concerned with, may address to the Company’s employees using the contacts specified on the Company’s website.