1. GENERAL PROVISIONS
1.1. This Privacy Policy (hereinafter – the Policy) provides information on how your personal data, which you may provide on the website https://adampolisgroup.lt/ (hereinafter – the Website), on social media accounts, by contacting us by e-mail or telephone, or by providing them directly at our registered office address, will be collected, processed, and stored.
1.2. Personal data are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – the Regulation), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, and other legal acts regulating the protection of personal data.
1.3. The controller of personal data specified in this Policy is UAB “Adampolis holding” (hereinafter – the Company), legal entity code 304532498, registered address Perspektyvos g. 10-1, Kaunas, LT-52119. The e-mail address for inquiries regarding data protection and this Policy is [email protected].
1.4. The Company follows these fundamental principles of data processing:
1.4.1. the principle of lawfulness, fairness, and transparency – personal data are processed lawfully, fairly, and in a transparent manner in relation to the data subject;
1.4.2. the principle of purpose limitation – personal data are collected for specified, explicit, and legitimate purposes and are not further processed in a manner that is incompatible with those purposes;
1.4.3. the principle of data minimisation – personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
1.4.4. the principle of accuracy – personal data must be accurate and, where necessary, kept up to date;
1.4.5. the principle of storage limitation – personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
1.4.6. the principle of integrity and confidentiality – personal data are processed in a manner that ensures appropriate security of personal data through suitable technical and organisational measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage;
1.4.7. the principle of accountability – the Company implements legal requirements for personal data protection, monitors compliance with them, and collects data to demonstrate compliance with the Regulation.
2. DEFINITIONS
2.1. Data subject – any natural person whose data are processed by the Company. The data controller collects only those data of the data subject that are necessary for carrying out the Company’s activities and/or for visiting, using, or browsing the Company’s websites, social media accounts, etc. The Company ensures that the collected and processed personal data will be secure and used only for a specific purpose.
2.2. Personal data – any information relating directly or indirectly to a data subject whose identity is known or can be directly or indirectly identified by reference to such data.
2.3. Processing of personal data – any operation or set of operations performed on personal data, such as collection, recording, accumulation, storage, classification, grouping, combination, alteration (supplementation or correction), provision, disclosure, use, logical and/or arithmetic operations, retrieval, dissemination, erasure, or any other operation or set of operations.
2.4. Consent – any freely given and informed indication of the data subject’s wishes by which the data subject agrees to the processing of his or her personal data for a specific purpose.
2.5. Cookies – small pieces of text information used on the Company’s Website, which are automatically created when browsing the website and stored on the computer or other device used by the data subject (website visitor). Cookies are used to improve the browsing experience of website visitors and to analyse website traffic and visitor behaviour on the Website.
3. SOURCES OF PERSONAL DATA
3.1. Personal data are provided by the data subject himself/herself. The data subject contacts the Company (e.g., requests information, applies for a job position), uses the services provided by the Company, purchases goods and/or services, leaves comments, asks questions, subscribes to newsletters, etc.
3.2. Personal data are obtained when the data subject visits the Company’s website. The data subject fills in forms available on the website or, for any reason, leaves his/her contact details, etc.
3.3. Personal data are obtained from other sources. Data are obtained from other sources such as registers managed by public or private entities, etc.
4. PROCESSING OF PERSONAL DATA
4.1. By providing personal data to the Company, the data subject agrees that the Company may use the collected data in fulfilling its obligations to the data subject and in providing services and/or information that the data subject expects.
4.2. The Company processes the personal data of the data subject in compliance with the provisions of the Regulation and other legal acts regulating the protection of personal data, for clear and specific purposes, and on the basis of the following legal grounds:
| Purpose of Data Processing | Processed Personal Data | Legal Basis for Processing | Data Retention Period |
| Direct marketing purposes (seeking the data subject’s opinion on the Company’s services) | Client’s first name, last name, e-mail address | Consent (Article 6(1)(a) of the GDPR) | Consent to receive marketing offers and newsletters is valid until withdrawn, but no longer than 5 (five) years from the date it was given |
| Publicising the Company’s activities (by publishing personal data on the Company’s website, presentations, and other events or materials for public information purposes) | Employee’s or third party’s image, voice recording, first name, last name, position, workplace, work e-mail address, work telephone number | Legitimate interest to inform the public (Article 6(1)(f) of the GDPR) and consent (Article 6(1)(a) of the GDPR) | – Employees – until the end of the employment contract – Third parties – until a request for data removal is submitted |
| Ensuring and maintaining the Company’s activities (for the purpose of concluding and performing contracts, managing, storing, and providing certain data) | First name, last name, personal identification number or date of birth, place of residence, telephone number, e-mail address, workplace, position, bank account number and bank, date of financial transaction or payment, amount, currency, and other data provided by the individual, received by the Company in accordance with legal acts, or required by law | – Performance of a contract (Article 6(1)(b) of the GDPR) – Legitimate interest (Article 6(1)(f) of the GDPR) – Legal obligation (Article 6(1)(c) of the GDPR) | – Contracts – 10 (ten) years after expiration – Invoices – 10 (ten) years after the payment date – Other documents – for the period established by national legislation |
| Administration of inquiries and comments | Data subject’s first name, last name and/or username, e-mail address, telephone number, address, inquiry or comment text | Consent (Article 6(1)(a) of the GDPR) and legitimate interest (Article 6(1)(f) of the GDPR) | 1 (one) year from submission |
| Employee recruitment purposes | Candidate’s first name, last name, date of birth, residential address, contact details (telephone number, e-mail address), information on education, qualifications, work experience, language skills, IT skills, driving skills, other competencies, information provided in the CV, cover letter, or other recruitment documents, employer references and feedback | Candidate’s consent (Article 6(1)(a) of the GDPR) and taking steps prior to entering into a contract (Article 6(1)(b) of the GDPR) | – Candidates participating in a specific recruitment – until the end of the recruitment process (recruitment is considered completed when the selected candidate successfully completes the probation period, but no longer than 3 months from the conclusion of the employment contract) – With candidate’s consent to retain data in the recruitment database – 1 (one) year from the date of consent |
| Administration of employment relationships | First name, last name, date of birth/personal identification number, residential address, declared address, contact details, work e-mail address, work telephone number, education, qualifications, work experience, language skills, IT and driving skills, other competencies, social security number, bank account number, child’s data (first name, last name, date of birth), image, health data, incapacity for work data, business trip and leave data | – Performance of a contract (Article 6(1)(b) of the GDPR) – Legal obligation (Article 6(1)(c) of the GDPR) – Consent (Article 6(1)(a) of the GDPR) | As required by national legislation |
| Assessment of solvency, creditworthiness, and risk of non-performance of obligations | Identity data, contact data, financial status data | Consent (Article 6(1)(a) of the GDPR) | As required by national legislation |
| Handling disputes (judicial and pre-trial) | Data subject’s first name, last name, personal identification number/date of birth, contact details | Legitimate interest to defend the Company’s infringed rights (Article 6(1)(f) of the GDPR) and legal obligation | As required by national legislation |
| Video surveillance (for ensuring the security of persons, property, and premises) | Image of the data subject captured by video cameras, behaviour, property, location, date and time, vehicle registration numbers | Legitimate interest to protect property and ensure personal safety (Article 6(1)(f) of the GDPR) | Up to 14 (fourteen) days |
| Recording of telephone conversations (for service quality assurance and protection of the Company’s legitimate interests) | Call date and time (start and end), call duration, calling phone number, audio recording of the call | – Performance of a contract (Article 6(1)(b) of the GDPR) – Legitimate interest to defend the Company’s infringed rights (Article 6(1)(f) of the GDPR) | 30 (thirty) days after the call |
| Use of cookies (for website functionality, efficiency, improvement, and marketing campaigns) | Visitors’ IP addresses, website browsing data | Consent (Article 6(1)(a) of the GDPR) and legitimate interest (Article 6(1)(f) of the GDPR) | As specified in the Company’s Cookies Policy |
| Administration and assessment of information about possible violations within the Company | – Whistleblowers: first name(s), last name(s), personal identification number, workplace, position, telephone number, personal e-mail address or residential address – Violation data: nature of the violation, place, time, and other collected information – Alleged violator(s): first name(s), last name(s), workplace, position – Witness(es): first name(s), last name(s), position, workplace, telephone number, e-mail address | Legal obligation (Article 6(1)(c) of the GDPR) | As required by national legislation |
5. USE OF SOCIAL MEDIA
5.1. All information that you provide through social media platforms (including messages, the use of “Like” and “Follow” buttons, and other forms of communication) is controlled by the operator of the respective social network.
5.2. We recommend that you review the privacy notices of third parties and contact the relevant service providers directly if you have any questions regarding how they use your personal data.
6. RECEIPT OF NEWSLETTERS
6.1. Only with your consent may we use your personal data for direct marketing purposes in order to provide you with newsletters, offers, and information about our services which, in our opinion, may be of interest to you.
6.2. Persons who have registered on the Website have the opportunity to receive newsletters from the Website if they so wish. This choice is entirely voluntary and is expressed through a clear registration form. Upon registration, individuals may actively choose to receive newsletters by ticking the relevant box. It is also possible to leave the box unticked if you do not wish to receive such communications.
7. DISCLOSURE OF PERSONAL DATA
7.1. The Company undertakes to comply with the obligation of confidentiality in relation to data subjects. Personal data may be disclosed to third parties only where this is necessary for the conclusion and performance of a contract for the benefit of the data subject or for other lawful reasons.
7.2. The Company transfers personal data to members of the group of companies to the extent necessary for the purposes of legitimate interest, service provision, or compliance with legal obligations.
7.3. The Company may provide personal data to its data processors who provide services to the Company and process personal data on behalf of the Company. Data processors are entitled to process personal data only in accordance with the Company’s instructions and only to the extent necessary for the proper performance of contractual obligations. The Company engages only those data processors who provide sufficient guarantees that appropriate technical and organisational measures will be implemented to ensure that the processing complies with the requirements of the Regulation and that the rights of the data subject are protected.
7.4. The Company may disclose personal data in response to requests from courts or public authorities to the extent necessary to properly comply with applicable legal acts and instructions of public authorities.
7.5. The Company guarantees that personal data will not be sold or leased to third parties.
8. PROCESSING OF MINORS’ PERSONAL DATA
8.1. Persons under the age of 14 may not provide any personal data through the Company’s website. If a person is under the age of 14 and wishes to use the Company’s services, written consent from one of the legal representatives (father, mother, or guardian) for the processing of personal data must be provided prior to the submission of any personal information.
9. STORAGE AND DESTRUCTION OF PERSONAL DATA
9.1. Personal data collected by the Company are stored in the Company’s information systems and/or in hard-copy documents. Personal data are processed no longer than is necessary to achieve the purposes of processing or no longer than required by data subjects and/or provided for by legal acts.
9.2. Although a data subject may terminate a contract and refuse the Company’s services, the Company is nevertheless obliged to retain the data subject’s data for possible future claims or legal disputes until the expiration of the applicable data retention periods.
9.3. When a client’s personal data are no longer required for processing, a decision is made regarding their destruction, except for data which, in cases provided for by law, must be archived in accordance with legal requirements.
9.4. In compliance with legal requirements, the Company destroys unnecessary data (documents containing personal data or copies thereof) accumulated by non-automated means in such a way that the information contained therein cannot be recognised. Data collected by automated means are destroyed by deleting unnecessary personal data files from storage media in such a way that they cannot be restored.
10. COOKIES
10.1. Cookies are used on the Company’s website. More information about the use of cookies and the information they collect can be found in the Cookies Policy.
11. RIGHTS OF THE DATA SUBJECT
11.1. The data subject has the following rights:
11.1.1. to know (to be informed) about the processing of his/her personal data (right to be informed);
11.1.2. to access his/her personal data and information on how they are processed (right of access);
11.1.3. to request the rectification or, taking into account the purposes of processing, completion of incomplete personal data (right to rectification);
11.1.4. to request the erasure of personal data (the “right to be forgotten”);
11.1.5. to request restriction of the processing of personal data where one of the lawful grounds applies (right to restriction of processing);
11.1.6. to request the transfer of data provided to the data controller (right to data portability);
11.1.7. to object at any time to the processing of personal data where such processing is carried out in the public interest or is necessary for the purposes of the legitimate interests pursued by the data controller or a third party (right to object).
11.2. If the data subject believes that the Company processes personal data in violation of data protection legislation, we recommend that the data subject first contact the Company directly using the contact details provided in this Policy. If the data subject is not satisfied with the solution proposed by the Company or believes that the Company has failed to take the necessary actions specified in the request, the data subject has the right to lodge a complaint with the supervisory authority, which in the Republic of Lithuania is the State Data Protection Inspectorate, L. Sapiegos g. 17, Vilnius, website https://vdai.lrv.lt/, e-mail address [email protected].
11.3. The Company must ensure the conditions for the data subject to exercise the above-mentioned rights, except in cases provided for by law where it is necessary to ensure national security or defence, public order, prevention, investigation, detection, or prosecution of criminal offences, important economic or financial interests of the state, prevention, investigation, and detection of breaches of official or professional ethics, or the protection of the rights and freedoms of the data subject or other persons.
12. PROCEDURE FOR THE EXERCISE OF DATA SUBJECT RIGHTS
12.1. The data subject may exercise his/her rights only if he/she provides the Company with the opportunity to verify his/her identity. A request may be submitted in writing to Perspektyvos g. 10-1, Kaunas, LT-52119, or by electronic means via e-mail at [email protected] or by telephone at +370 37 473803.
12.2. The identity of the data subject shall be verified by one of the following methods:
12.2.1. by the data subject appearing at the Company in person, submitting a request to exercise rights to the responsible employee and presenting an identity document (passport or identity card);
12.2.2. where the data subject submits a request by post or via courier or other parcel delivery services – by enclosing a copy of an identity document of the applicant, certified by a notary or in another manner prescribed by the laws of the Republic of Lithuania;
12.2.3. where the data subject submits a request by electronic means in accordance with legal requirements – the request must be signed with a qualified electronic signature or created using electronic means that ensure the integrity and immutability of the text.
12.3. The data subject may exercise his/her rights personally or through a representative. Where a request is submitted through a representative, the representative’s name, surname, and contact details for communication and/or for receiving a response regarding the exercise of the data subject’s rights must be provided (e.g. residential address, correspondence address, e-mail address, or electronic delivery mailbox). A document confirming representation or a copy thereof, certified in accordance with legal requirements, must also be submitted.
12.4. The Company shall provide a response to the data subject no later than one month from the date of receipt of the data subject’s request, taking into account the specific circumstances of the processing of personal data. Where necessary, this period may be extended by a further two months, taking into account the complexity and number of requests.
13. OBLIGATIONS OF THE DATA SUBJECT
13.1. The data subject shall:
13.1.1. inform the Company of any changes to the information and data provided. It is important for the Company to have accurate and up-to-date information about the data subject;
13.1.2. provide the necessary information to enable the Company, upon the data subject’s request, to identify the data subject and to ensure that it communicates or cooperates only with the specific data subject (by providing an identity document or using legal or electronic means that allow proper identification). This is necessary to protect the data of the data subject and other persons, ensuring that information disclosed about the data subject is provided only to the data subject without infringing the rights of others.
14. FINAL PROVISIONS
14.1. In developing and improving the Company’s activities, the Company has the right to unilaterally amend this Privacy Policy at any time. The Company has the right to amend the Privacy Policy in whole or in part by publishing the relevant information on the website www.adampolisgroup.lt.
14.2. Amendments or additions to the Privacy Policy shall enter into force on the date of their publication, i.e. from the date they are posted on the website www.adampolisgroup.lt.
