UAB “BALTIC AMADEUS” (hereinafter referred to as the Company or we), when processing personal data, complies with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the Regulation), the Law on Legal Protection of Personal Data of Republic of Lithuania and requirements of the other applicable legal acts and ensures the security of your personal data.
You – are the visitors of our websites www.ba.lt, www.enjoyit.lt and www.fincell.eu (hereinafter referred to as the Websites), service users, employees and personnel selection participants, customers, partners, subcontractors, service providers (their representatives) and other data subjects, whose personal data we have the right to process and undertake to properly protect.
1. Processed personal data
We may collect and process the following categories of personal data:
- Personal identification data – name, surname, position, name of the workplace, etc.
- Contact personal data – e-mail address, telephone number, workplace or residence address, etc.
- Personal data confirming personal identity – personal identification number, personal identity document No., etc.
- Personal data related to employment – information you provide in your CV, cover letter or other documents provided to us, information about your education, professional qualifications, work experience, etc.
- Information about browsing our Websites – technical data of the device used, IP address, operating system, type of browser, etc.
- Personal data that may be provided to us by other data controllers or processors using our services.
- Any other personal data relating to you that you may provide to us by contacting us, using or wishing to use our services, proposing or providing your services, visiting our office, etc.
2. Legal basis and objectives for the processing of personal data
We process personal data on the following grounds and for the following purposes:
- on the basis of your consent – in order to respond to your inquiries, evaluate your proposals, provide you with information, advertise our services, enable you to use our Websites, analyse your browsing behaviour on our Websites using cookies, perform personnel selections, arrange events, competitions, service presentations, provide direct marketing offers, etc.
- on the basis of concluding and executing a contract with you – in order to prepare a commercial or employment offer, enter into a contract and provide/order services, to communicate with you or your representatives, properly fulfil the obligations to you.
- on the basis of a legal obligation imposed on us – in order to meet the mandatory requirements imposed on us by legislation or decisions of the competent authorities or supervisory authorities, etc.
- on the basis of our legitimate interest – in order to ensure the security of our employees and assets, to protect or defend our rights against violations (e.g., to defend our rights in court/arbitration, to manage arrears, etc.), to exercise the right to insurance coverage, to improve the quality of services provided, to ensure performance of our contractual obligations, to offer similar services to existing customers, etc.
Your personal data are processed only for the purposes for which they were collected and if the purpose changes – we will inform you about it and ensure that personal data is always processed within an appropriate legal basis.
3. Transfer of Personal Data to Other Recipients
We may transfer (disclose, grant access) personal data to third parties (other data controllers, processors or recipients) in the following cases and procedures:
- when are required to provide personal data to the competent authorities based on an existing legal obligation (Sodra, VMI, Department of Statistics, VĮ „Registrų centras“, etc.) or individual legal order (e.g., law enforcement authorities);
- when we provide personal data of our own and our partners’ personnel participating in project activities to our existing and/or potential clients;
- if we use ancillary data processors (e.g., IT service providers, server and other infrastructure service providers and intermediaries, consultants, insurance service providers, communication service providers, recruitment agencies, electronic document signing platform service providers etc.) for the processing of personal data, with whom contracts are concluded defining the scope of data processing, implementation of appropriate organisational and technical measures and other obligations necessary to ensure secure personal data processing and confidentiality;
- if we must protect or defend our legitimate interests (e.g., to transmit data about the incident to law enforcement authorities, insurance company, apply for a professional legal consultation etc.);
- if your consent has been obtained for the disclosure of personal data (e.g., the employee’s consent to use his/her image (photo) in public communication, to take advantage of additional benefits provided by the Company, etc.).
In all cases where personal data are transferred to third parties, we ensure that the data shall only be disclosed to trusted recipients and to the minimum extent necessary to achieve the purpose of the processing.
4. Transfer of Personal Data to Recipients Outside the EEA
The company operates on an international scale, therefore we may also transfer (disclose or provide access to) your personal data to our or our partners’ employees, auxiliary data processors or other data controllers (e.g., our existing and/or potential clients, IT service providers, server and other infrastructure service providers and intermediaries, etc.) outside the European Economic Area (EEA). When transferring personal data outside the EEA, we undertake to ensure that the data are transferred only to countries that ensure adequate legal protection of personal data and in accordance with the requirements of the Regulation, such as the application of standard contract clauses, etc.
5. Personal Data Retention Period
We set retention periods for personal data according to the specific purposes of the processing and process the data only for as long as is necessary to achieve the respective purposes. For example:
- We store the personal data of the customers/their representatives provided to us for the purpose of performance of the service provision/cooperation agreement for 10 (ten) years from the date of termination of the agreement;
- We store personal data managed/processed by the customers and provided to us in accordance with the concluded personal data processing agreements until the expiry of the service provision/cooperation agreement unless a different storage term is stipulated in the contract concluded with a specific customer or specified in a separate instruction by the customer;
- We process the contact personal data of the customers/their representatives for the purposes of direct marketing as long as the service provision/cooperation agreement is in force or the customer/its representative’s objection to further data processing is received;
- We store the data of persons who have agreed to receive direct marketing offers no longer than 3 (three) years after the date of receipt of the consent;
- We store the data of persons who have registered and agreed to participate in the competitions, service presentations or other events organized by the Company for no longer than 3 (three) months after the end of the event;
- We store the personal data of candidates for work in the Company for a period specified in the Job candidates’ personal data processing procedure;
- We store the personal data of our partners (their specialists) during the effective period of the cooperation agreement and for 3 (three) years from the end of the cooperation;
- We store personal data of the service providers/their representatives collected during recorded video meetings (e.g., during training, service presentations, etc.) for a reasonable period of time, determined after assessing the necessity of the recorded information for the provision of services or the effective use of the result of the service received, but no longer than for 3 years (unless a different term is agreed in the service agreement).
The terms of storage of personal data of our employees, suppliers of goods and services/their representatives processed for the purposes of internal administration (personnel management, management and use of available material and financial resources, accounting and record keeping) are set in the Company’s internal documents.
We ensure that at the end of the retention period of personal data, all data shall be securely destroyed or depersonalized in such a way that the information cannot be recovered.
6. Personal Data Safeguarding
We grant access to your personal data only to those employees or partners whose processing of personal data is necessary for the performance of their direct duties and who are properly familiarized with the requirements applicable to the processing of personal data.
We apply appropriate technical and organisational measures to ensure the secure processing of your personal data, data confidentiality, integrity and access control. We are certified with the ISO 27001 information security management system certificate and accordingly have approved and implemented personal data and information security procedures determining the application of preventive measures, distribution of responsibilities, control measures and procedure for responding to security breaches. All procedures regulating the Company’s activities are periodically reviewed, execution of the procedures supervised and employee training arranged.
The Company’s knowledge and professional qualifications of our specialists are certified by Human Factors Certified Usability Analyst (CUA), Certified Ethical Hacker (CEH), Information Systems Security Professional (CISSP), Certified Data Privacy Solutions Engineer (CDPSE), Certified Information Security Auditor (CISA) and ISO/IEC 27001 Information Security Management System certifications.
7. Automated Decision Making and Profiling
The Company shall not process personal data through automated individual decision-making, but may conduct profiling (i.e. automated processing of personal data where personal data are used to assess certain personal aspects of an individual) that does not have legal consequences or similar significant effects for you.
Profiling shall be based on the Company’s legitimate interests, performance of the contract and/or your consent. If you have agreed to receive direct marketing messages, the Company shall have the right to process personal data for the purpose of sending direct marketing messages of a general nature and/or individually tailored to you.
8. Your Rights
As a data subject, you shall have the following rights under the Regulation:
- To get acquainted with your personal data processed by us (right of access);
- To require us to correct your personal information if it turns out to be inaccurate;
- To require us to delete your personal data (right to be forgotten);
- To demand that we limit the processing of personal data;
- To require us to provide your personal data in a structured, commonly used and computer-readable format for transfer to another data controller (right to data portability);
- To not consent to the processing of your personal data, including processing for marketing purposes;
- To disagree with automated decision making, including profiling.
In order to exercise these rights, we hereby ask you to:
- Provide us with the information we need to identify you (for personal identification);
- Formulate your application and provide related information.
We undertake to respond to your request no later than within 1 (one) month from its receipt.
If you believe that our processing of personal data does not comply with the requirements established by the Regulation or other legal acts, you have the right to apply to the State Data Protection Inspectorate using the contacts provided on its website: https://vdai.lrv.lt/
When you visit our Websites, we may collect certain information about your device, IP address, operating system, browser type, and more. We need this information to administer the system, to provide assistance, to collect aggregated data for analysis and quality improvement.
Types of cookies used on Websites:
- Strictly necessary – these types of cookies are necessary for the operation of the Website. These cookies cannot be disabled because the Website will not function properly without them.
- Functional – used to prevent changes to settings, such as language or time zone selection, each time you visit our Website.
- Analytical – these cookies are used to collect general statistics on the number of visitors to monitor the performance of the Websites for analytical purposes and to improve their performance.
- Marketing – used to better tailor the content of the Websites, to provide customized ads that may be of interest to an individual user.
If you do not agree to the storage of cookies on your device, you can revoke the consent at any time by using them by changing the settings and deleting the stored cookies. If you have chosen to delete cookies, remember that all the settings you have set are also deleted. In addition, if cookies are completely blocked, the Websites may no longer function properly. For these reasons, we do not recommend disabling cookies.
10. Third Party Websites