2. The controller of your personal data is UAB P. Varkojis ir kompanija (registration No. 161732763, registered office address: Mokyklos g. 4, Kurmaičių k., LT-97240 Kretingos r., e-mail: firstname.lastname@example.org, phone: +370 445 48246, website: www.varkojis.com) and its current or future branches and representative offices and other legal entities whose services are used by the Company when selling the products and which are authorized to act on behalf of the Company. The Company’s contact details are published on the website www.varkojis.com (hereinafter referred to as the “Website”).
4. The Company takes a responsible approach to the processing of personal data and makes all reasonable efforts to ensure the security, integrity, and confidentiality of personal data and other information processed by the Company.
5. You may visit the Website or visit the Company’s premises to inquire about the products produced and sold without providing any information about yourself (other than that collected by cookies or captured by the Company’s video surveillance cameras).
7. Personal data collected by the Company are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “General Data Protection Regulation”), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other data protection legislation.
8. The Company may use the services provided by processors and/or employ other persons to perform certain functions on behalf of the Company. In such cases, the Company shall take the necessary technical and organizational measures to ensure that such processors process personal data in accordance with the Company’s instructions and applicable legislation and shall require to implement appropriate personal data security measures. The Company will also ensure that such persons are bound by confidentiality obligations and will not be able to use such information for any purpose other than that necessary to perform the functions assigned to them.
9. All Company’s employees and representatives and employees of the representatives who become aware of the personal data are obliged to protect them even after the termination of their employment or contractual relationship.
Main terms and definitions
10. Personal Data mean any information relating to an identified or identifiable natural person who can be identified directly or indirectly (by obtaining data from other sources). Such data can be your name, surname, e-mail address, telephone number, address or other data on the basis of which you may be identified.
11. Recipient means a natural or legal person to which the personal data are disclosed.
12. Data subject means a natural person who provides personal data to the Company that later processes such data.
13. Processor means a natural or legal person that processes personal data on behalf of the controller.
14. Provision of data means the disclosure of personal data by transferring them or by making them otherwise available to the Recipient(s).
15. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission and other operations involving data.
16. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
Basis for personal data processing and data protection principles
18. The basis for the processing of your personal data may be:
your intention to enter into an agreement with the Company or an agreement already concluded with the Company;
the basis specified in the legislation (e.g., fulfilment of any obligation provided for in the legislation and compliance with court requirements or other requirements relating to the settlement of disputes);
the Company’s legitimate interest (e.g., to file and defend claims and perform other lawful actions, to prevent or reduce losses, to improve the quality of service, to ensure the consistency and sustainability of the Company’s operations, to meet your expectations and maximize your satisfaction with the Company’s services).
19. When collecting and using the personal data received from you and from other sources, the Company observes the following principles:
Your personal data are processed lawfully, fairly and in a transparent manner (principles of lawfulness, fairness, and transparency).
Your personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (principle of purpose limitation),
Your personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (principle of data minimisation).
Personal data being processed is accurate and, where necessary, kept up to date (principle of accuracy). By submitting your personal data, you confirm that they are accurate and correct.
Your personal data are stored in a form that permits identification of the data subject for no longer than is necessary for the purposes for which your personal data is processed (principle of storage limitation).
Your personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (principle of integrity and confidentiality).
What data about you we collect?
20. The main purpose for which the Company collects your personal data is the conclusion (or intention to conclude) of an agreement between you and the Company, performance of an agreement, and control of the performance of an agreement.
20.1. The following data may be processed for the above purpose: name, surname, personal identification number, address, e-mail address, phone number, bank account number, bank details. If an agreement is concluded with a legal person, the following data may be processed: name, surname, position, e-mail address, telephone number, and the name of the employer of the director or other person authorised to act on behalf of the data subject, details of board members and shareholders (only if the approval of these management bodies is required for the conclusion of the transaction and only to the extent necessary to ensure that such a decision/approval has been obtained), copy of the power of attorney.
20.2. Data storage period. Personal data shall be stored in the active database during the validity period of the agreement, i.e., from the time the data are received until the end of the agreement. Accordingly, personal data in the passive database shall be stored for the specified purpose for ten (10) years, counting from the date the agreement has ended. At the end of the personal data storage period specified in this paragraph, they shall be destroyed, i.e., personal data shall be deleted from the active database after the agreement ends, and personal data older than ten (10) years shall be deleted from the passive database. Paper or other material versions of documents, if any, shall also be destroyed. In case the Company, after receiving the personal data, decides not to enter into an agreement with you, your personal data will be stored in the active database for one (1) year from the moment of receiving the data.
20.3. Personal data providers. Personal data are collected directly form you (or personal data are provided on your behalf) or from legal persons when you are a representative, employee, contractor, founder, shareholder, participant, owner, etc. of these legal persons or they are collected on a lawful basis by the Company itself. When performing the agreements, the Company may supplement your personal data with personal data obtained from other sources.
20.4. Groups of data recipients: employees of the Company responsible for the performance of the agreement, credit, financial, payment, and/or electronic money institutions, attorneys in law and/or their assistants, lawyers.
20.5. Data may be transferred to third countries (outside the European Union) only if the circumstances of the conclusion and/or performance of the agreement are related to a third country. In this case, the Company shall perform all actions specified in the General Data Protection Regulation.
21. The Company may process your personal data for debt management purposes. Personal data are processed for this purpose in order to manage and recover debts, make claims and requirements, bring actions before a court and submit other documents and documents regarding debt collection enforcement.
21.1. For this purpose, the following personal data may be processed: name, surname, personal identification number, address, e-mail address, telephone number, current account number, bank details, amount of debt, amount of interest accrued, amount of penalty interest, date of transfer for recovery, amount of debts (or parts thereof) written off, write-off date.
21.2. Data storage period. Personal data shall be stored for ten (10) years from the date of incurrence of the debt, and after initiating legal proceedings – until the debt is repaid and two (2) years after the repayment. The duration of the data storage period is based on the duration of limitation periods established in the Civil Code of the Republic of Lithuania.
21.3. Data providers. Data are received directly from the data subject, State Enterprise Centre of Registers, companies managing joint debtors’ data files (e.g., UAB Creditinfo Lietuva), and other institutions.
21.4. Recipient groups. Data are received by companies handling joint debtors’ data files, attorneys in law and/or their assistants, lawyers, courts, arbitrators, other institutions solving disputes, bailiffs, law enforcement agencies, debt management and recovery companies, and other entities with a legitimate interest.
21.5. Data may be transferred to third countries (outside the European Union) only if the circumstances of the debt incurrence are related to a third country. In this case, the Company shall perform all actions specified in the General Data Protection Regulation.
21.6. Please note that in the event of your indebtedness and delay in fulfilling your obligations for more than thirty (30) days, the Company has the right to provide available identification data, contact details, and credit history, i.e., information on financial obligations and obligations related to assets and their fulfilment, debts and their repayment, to companies managing debt databases (for example, to the credit bureau UAB Creditinfo Lietuva operating in Lithuania). UAB Creditinfo Lietuva (registration No. 111689163, address: A. Goštauto g. 40A, LT-01112 Vilnius, Lithuania, phone: +37052394131, website: www.manocreditinfo.lt) processes and provides your information to third parties (financial institutions, telecommunications companies, insurance companies, electricity and utility service providers, trade companies, etc.) for legitimate interests and purposes, i.e., in order to assess creditworthiness and manage debts. Credit history data is usually processed for ten (10) years after the fulfilment of obligations. You can access your credit history by contacting the credit bureau directly.
22. The Company may process your personal data for the purpose of ensuring the security of persons and property (to ensure the protection of the Company’s employees, customers, and other visitors against criminal offenses or other violations of rights and to ensure the protection of products and other property belonging to UAB P. Varkojis ir kompanija from illegal misappropriation that can be performed or damage that can be done by employees or other persons) by monitoring the Company’s premises located at Mokyklos g. 4, Kurmaičiai, LT-97240 Kretingos r. with video surveillance cameras.
22.1. The following personal data may be processed for this purpose: image data. Video surveillance systems do not use facial recognition and/or analysis technologies and they do not group or profile the video data recorded by associating them with a specific data subject (person).
22.2. Data storage period. Videos are stored for fourteen (14) days from the moment of recording the video (or until the end of the investigation if an infringement is detected). When this period expires, new image data are automatically recorded on top of this data.
22.3. Data providers: persons entering the Company’s video surveillance area.
22.4. Recipient groups: employees of the Company who have the right to monitor the image and responsible employees of the Company providing physical security services. Video records may be provided as evidence to pre-trial investigation institutions, public prosecutors, or courts handling administrative, civil, and criminal cases or in other cases established by law.
22.5. Personal data are not transferred to third countries (outside the European Union).
23. The Company may process the data of candidates for the purposes of internal administration, in particular when carrying out the selection of employees.
23.1. The following personal data may be processed for this purpose: data contained in the curriculum vitae of the candidate for the vacancy, i.e., name, surname, date of birth, address of the place of residence, e-mail address, telephone number, education (information on the educational institution, education period, education and/or qualification obtained) professional experience (information on the employer, employment period, position, responsibilities and/or achievements), data on the rise of qualification (trainings, certificates), information on language, information technology, and driving skills and information on other competencies, contacts of those who recommend or provide feedback on the candidate and/or the content of the feedback (if applicable in a specific case). The Company may also collect other information, i.e. check social networks (Facebook, LinkedIn, etc.), but only if reviewing the candidate’s information on social media is necessary, e.g., in order to assess the specific risks associated with candidates for specific positions.
23.2. Data storage period. CVs of candidates and recommendations of their former employers (if any) in cases where these candidates were not hired shall be deleted and/or destroyed at the end of the selection process, unless the Company has obtained the candidate’s consent to process his/her personal data longer in order to be able to offer a job position later. In this case, the personal data of the data subject shall be stored on the Company’s server for no longer than one (1) year from the date of their receipt. Upon expiration of this period, the CVs will be deleted from all electronic systems of the Company and paper or other material copies will be destroyed. If a request to destroy a CV submitted to the Company is received from a candidate before the expiry of such period, the employee of the Company responsible for personnel must coordinate the execution of such request within three (3) working days and inform the candidate thereof. Personal data may be stored longer if they might be necessary in the event of a dispute/complaint or on other grounds established by legislation. After hiring an employee for the position for which he/she applied and sent the CV, the CV of such person (along with the recommendation of the former employer, if any) shall be attached to the personal file and stored for the entire period of employment.
23.3. Data providers. Personal data are received directly from the data subject (candidate for the vacancy), from employment agencies, job search portals, social media networks and other providers of job search services.
23.4. Recipient groups: no data are provided.
23.5. Data are not transferred to third countries (outside the European Union).
24. The Company may also use your personal data (name, surname, e-mail address, telephone number, content of sent and received messages, IP address) to send you messages, to communicate with you regarding the Company’s products, to inform you about the Company’s policy and terms and conditions, to respond to your requests (for the purpose of saving contacts and for the purpose of communication). For this purpose, your personal data may be transferred to companies that provide message forwarding services. Such personal data shall be stored for six (6) months from the date the issue was resolved, answer was provide, or confirmation was received. At the end of the aforementioned period, the personal data shall be deleted both from the Company’s server and from the e-mail of the specific employee.
26. The Company has made sure that all independent service providers to whom your personal data are transferred comply with the Company’s instructions on how they should process your personal data. The transfer of your personal data is regulated by data processing contracts, agreements, or data processing terms and conditions that the Company has concluded with independent service providers. All independent service providers (as controllers) must warrant that your personal data will be processed as carefully and thoroughly as the Company would process them itself. These service providers are legally liable to you and the Company for failure to comply with such warranties. The said independent service providers must also implement technical and organizational measures to ensure the same level of data protection as the Company when processing personal data. However, the security of the transmission of information over the Internet or by e-mail or mobile communication may sometimes be compromised for reasons beyond the Company’s control, and therefore you should be careful when providing confidential information.
28. By providing the data, you agree that the aforementioned data will be provided and received by the Company or its appointed authorized representative (through the software tool used and by other means) and by other third parties with whom the Company has entered into a personal data processing agreement in accordance with legislation.
Processing of personal data relating to minors
29. The Company does not process data relating to minors under sixteen (16) years of age. In order to use the Company’s services, a minor must submit a written consent given by his/her representative (father, mother, guardian) regarding the processing of his/her personal data.
30. When you visit the Company’s Website, cookies are used in order to provide content and enable features that meet your needs.
32. Social network accounts, i.e., Facebook, Twitter, Instagram, etc., managed by the Company are subject to the cookie policies of these social networks.
33. Most web browsers accept cookies by default, so cookies will be created as soon as you visit the Company’s Website. If you wish to refuse the cookies used by the Company, you can do so by changing your Internet browser settings accordingly, i.e., by disabling the cookie acceptance property on the Website or deleting them from your browser. If you do not want cookies to be stored on your computer or other device, you can choose in your browser settings to receive a notification before the cookies are stored. You can also set your browser to block all or some cookies. You can delete cookies that have already been saved on your computer or other device. Note that in this case, you’ll need to change settings for each browser and device you’re using. Each browser has a different method for applying settings. If necessary, use your browser’s help function to select correct settings. However, the Company warns you that by disabling or restricting the acceptance of cookies in your browser, you may lose access to some of the services or features of the Company’s Website or other websites.
34. Your personal data collected by cookies shall be processed in accordance with the legislation governing the protection of personal data in force in the Republic of Lithuania. In order to comply with this legislation, the Company applies security measures that shall prevent the illegal disclosure of your personal data and their illegal use.
36. All information about the cookies used on the Website, their purpose, and validity and personal data used is provided in the table below.
Your rights as a data subject
37. The Company has a legal obligation to ensure that your personal data are accurate and up to date. We kindly ask you to assist the Company in fulfilling this obligation and inform us of any changes in your personal data processed by the Company.
38. You may at any time exercise the following rights related to your personal data processed by the Company.
38.1. Right of access. You have the right to request to access to any data that may be considered your personal data, including, e.g., the right to know whether the Company processes your personal data, what categories of personal data are processed, and for what purposes personal data are processed.
38.2. Right to rectification. You have the right to request the Company to rectify any personal data about you if you believe they are inaccurate or incomplete.
38.3. Right to object. You have the right to object to the processing of your personal data, including, e.g., the processing of your personal data for direct marketing or profiling purposes.
38.4. Right to erasure (‘right to be forgotten’). You can request to erase your personal data if they are no longer needed for the purposes for which they were collected, if you consider that the processing is unlawful, or if you consider that personal data have to be erased for compliance with a legal obligation.
38.5. Right to data portability. If your personal data are processed automatically with your consent or on the basis of a mutual contractual relationship, you may request the Company to provide you with such personal data in a structured, commonly used and machine-readable format. In addition, you can request to transfer personal data to another controller. This can only be done if it is technically possible.
38.6. Right to withdraw consent. In cases where personal data are processed with your consent, you have the right to withdraw such consent at any time.
38.7. Right to refuse marketing communications (if personal data are processed for this purpose). You may opt out of receiving communications from the Company that the Company believes may be of interest to you. You may opt out of receiving communications at any time by contacting the Company by e-mail, post, or telephone.
41. If you believe that your personal data is being processed improperly or that the Company has violated your (as a data subject) rights, you have the right to file a complaint with the State Personal Data Protection Inspectorate (A. Juozapavičiaus g. 6, LT-09310 Vilnius, phone: +37052712804, +37052791445, fax: +37052619494, e-mail: email@example.com, website: www.ada.lt).
42. You may submit a request to access to your personal data, request to rectify your personal data, or disagreement with the processing of personal data directly to the Company at Mokyklos g. 4, Kurmaičių k., LT-97240 Kretingos r. or by e-mail firstname.lastname@example.org. The request must clearly state your name and surname and a duly certified copy of the identity document must be attached or the request must be sign electronically.
43. The Company shall provide a response to your request no later than within thirty (30) calendar days from the date of receipt of the request. In exceptional cases requiring additional time, the Company shall have the right to extend the deadline for submission of the requested data or examination of other requirements specified in your request after notifying you thereof.
44. If your request is legally justified, the Company will terminate the processing of personal data after examining the request, except for the cases specified in legislation.
Location of your data processing.
46. The Company may transfer your personal data outside the European Union in accordance with:
European Commission’s decision on adequacy;
standard data protection clauses adopted by the European Commission;
standard data protection clauses adopted by the authority responsible for the protection of personal data;
other derogations allowed by applicable legislation after implementing other security measures.
48. The Company is not responsible for ensuring your privacy on third-party websites even if you access third-party websites using links on the Website. The Company recommends that you read the privacy policies of each website that does not belong to the Company.