Data protection policy - AB Birštono sanatorija "Versmė"

Data protection policy

SECTION I

1. GENERAL PROVISIONS.
1.1. Healthcare institution AB Birštonas health resort Versmė (hereinafter referred to as the Company), company code 152814478, B. Sruogos g. 9, Birštonas, e-mail versme@versme.com, tel. No.: +370 319 65662, data protection officer tel. No. +370 608 49799, respecting the right of visitors (hereinafter referred to as Visitors) of www.versme.com (hereinafter referred to as the Website) to privacy, undertakes to ensure protection of their personal data as well as ensuring their rights as data subjects.
1.2. The present Data protection policy regulates the principles and procedure of processing of personal data of Visitors when using the services of the Website thus providing personal data to the Company. The Visitors agree with the provisions of the present Data protection policy, except for data processing actions that require a separate consent from the Visitor and which the Company will ask for, when needed.
1.3. The Visitors can read the Data protection policy of the Website in the menu of the Website by clicking ‘Data protection policy’, they can see the cookies in the pop-up cookie banner and it is considered that they are accepted when the button ‘Agree’ is clicked in the pop-up cookie banner. Where a Visitor objects to the Data protection policy, the use of cookies and/or the privacy and/or personal data processing on the Website or simply does not read the Data protection policy of the Website, he can no longer use the Website and in the event of further use, he acts at own risk and responsibility and cannot submit any claims in relation to privacy and/or processing of personal data on the Website.
1.4. Upon concluding an agreement with the Client, providing services or selling goods not on the Website, the Company shall have the right to determine additional personal data processing objectives and conditions, which are not discussed in the present Data protection policy. To learn more about processing of personal data in the Company, please contact or visit our Company at the contacts or address in paragraph 1.1.
1.5. When processing personal data of Visitors, the Company follows Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation), Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter referred to as the LLPPD), Law on Electronic Communications (LEC) of the Republic of Lithuania and the provisions of other legal acts regulating protection of personal data.
1.6. The Company may amend the present Data protection policy at own discretion announcing the respective information on the Website.
2. TERMS USED IN THE PRIVACY POLICY.
2.1. Personal data shall mean any information about a natural person identified or identifiable directly or indirectly, first of all according to identification such as name and surname, personal identification number, location data and internet identification or according to one or several features of physical, physiological, genetic, mental, economic, cultural or social identity of the said natural person.
2.2. Data subject shall mean a natural person, a client of the Company, a Visitor of the Website, etc. the personal data of whom is collected by the Company.
2.3. Consent of data subject shall mean any freely given, specific and unambiguous expression of will of informed data subject by a statement or unambiguous actions consenting to processing of their personal data.
2.4. Processing of data shall mean any operation or set of operations performed by automated or non-automated means on personal data or set thereof, such as collection, recording, sorting, organizing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, as well as alignment or combination with other data, restriction, erasure or destruction.
2.5. Restriction of data processing shall mean marking of stored personal data in order to restrict their processing in the future.
2.6. Data controller shall mean a natural or legal person, institution, agency or another establishment determining data processing objectives and means alone or together with others.
2.7.Data processor shall means a natural or legal person, institution, agency or another establishment processing personal data in the name of the Controller. Employees of the Company are not considered processors
2.8.Cookies shall means a small text information piece automatically generated when browsing the Website and stored in the computer or another device of the Visitor.
2.9. Direct marketing shall mean an activity intended for direct offer of goods or services or opinion polls on the offered goods or services by mail, phone or other direct means.
3. WHAT PERSONAL DATA ARE COLLECTED ON THE WEBSITE?
3.1. The Company collects and processes the following personal data of Visitors which the Visitors themselves provide upon browsing, registering or ordering services on the Website: name, surname, e-mail, telephone No., data in relation to provision of services (booking dates, times, duration, services, etc, history of purchases), order information, account numbers, payment information, social networks (Facebook, Linkedin, Vkontakte, Google) accounts, dates and times of accessing the account, information on consent or objection to processing of personal data for direct marketing purposes, passwords, as well as any other data which the Visitor additionally provided at own initiative when browsing the Website and communicating with the Company by phone or e-mail.
3.2. The Company collects and processes automatically collected personal data with the help of cookies (only upon agreeing on the use of those cookies by clicking the consent button on the cookie pop-up banner on the Website) and which the Visitors indirectly provide when browsing, registering or ordering services on the Website. The data automatically collected from the computers and/or mobile devices of Visitors when accessing the Website: IP addresses and times, browser used by the user, its version and the language used in it, websites visited by the Visitors before accessing the Website, data about the use of services, devices used to access the Website, age, sex, geographical data and other data collected by Google Analytics, Facebook Pixel, Omnisend, WPML, WooCommerce, WordPress and Popup Maker. Such data shall be stored during the period of cooperation of the Company and the Visitor and depending on the data up to 24 (twenty four) months after the end of the period of cooperation (or the last session of the Visitor to the Website). Such data may be stored for a longer period provided there are other legal grounds.
3.3. Read more about personal data, which are provided by Visitors indirectly by
3.4. When using the services provided by the Website, the Visitor accepts all responsibility for the correctness and accuracy of the provided data.
3.5. If the Visitor does not provide personal data necessary for the conclusion, implementation of the agreement, provision of Website services, etc. or provides inaccurate data, the Company will not be able to conclude an agreement with the Visitor and/or fulfill its terms and conditions or will not be able to provide the Website or general services to the Visitor or duly inform the Visitor.
3.6. In case of change to the personal data provided on the Website or other relevant information, the Visitor undertakes to amend and/or supplement the provided data or other relevant information within 10 (ten) business days.
3.7. In certain cases the Website administrator shall have the right to request updating and/or supplementing the personal data or other relevant information of the Visitor, if it is necessary for the provision of the Website services, fulfillment of the obligations of the Company or the agreement.
4. FOR WHAT PURPOSES ARE PERSONAL DATA COLLECTED AND PROCESSED?
4.1. The Company processes personal data of the Visitor having legal grounds and/or a reasonable and legal interest not violating the interests, rights and freedoms of the Visitor.
4.2.The Company processes personal data for the following data processing purposes:
  • 4.2.1. for administration of accounting documents in relation to ordered services;
  • 4.2.2. for protection and defending, proving and litigation in relation to violated rights and legal interests;
  • 4.2.3. for identification of the Visitor on the Website;
  • 4.2.4. for registration of the Visitor on the Website;
  • 4.2.5. for detecting browser language settings of the Visitor;
  • 4.2.6. for booking rooms;
  • 4.2.7. for purchasing gift coupons;
  • 4.2.8. for communication, including correspondence with the Website Visitor;
  • 4.2.9. for protection of whistleblower rights under the Law of Whistleblower Protection of the Republic of Lithuania;
  • 4.2.10. as well as other legal obligations of the Company.
4.3 Personal data are processed on legal grounds provided by GDPR (EU) 2016/679:
  • 4.3.1. 6(1)(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • 4.3.2. 6(1)(c), i.e. processing is necessary for compliance with a legal obligation to which the controller is subject;
  • 4.3.3. 6(1)(e), i.e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • 4.3.4. 6(1)(f), i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4.4. If the Company wants to use the data of the Visitor for other purposes for which it does not have contractual or legal grounds, the Company will request the consent of the Visitor. With the consent of the Visitor (which can be withdrawn by the Visitor at any moment), the Company will use the data only for specific purposes, for example, as specified in the section on Direct Marketing.
5. HOW ARE PERSONAL DATA OF VISITORS PROCESSED?
5.1. The Company shall ensure that the personal data of Visitors are:
  • 5.1.1. processed in a legal, honest and transparent manner;
  • 5.1.2. collected for specific, clearly defined and legal purposes and will not be processed in manners not compatible with such purposes;
  • 5.1.3. adequate, suitable and just those that are necessary to achieve the objectives above for which they are processed;
  • 5.1.4. accurate and updated when needed;
  • 5.1.5. processed in the manner that upon applying the suitable technical and organizational means safety of personal data would be ensured, including protection from processing of data without consent or illegal processing or data and from accidental loss, destruction or damage to data.
6. WHO THE PERSONAL DATA OF VISITORS ARE TRANSFERRED TO?
6.1. Access of employees of the Company and authorized persons to personal data of Visitors is provided solely for performance of job functions in accordance with the position of the employee and his role in the Company.
6.2. All data recipients, to which the Company transfers (or will transfer if needed) personal data, are obligated (or will be obligated) by legal acts or under signature to protect confidential information. Without the consent or request of the Visitor, the Company will not transfer personal data to other persons not specified in the present terms and conditions, except for cases when the Company is obligated to do so under the procedure established under the legal acts of the Republic of Lithuania or the European Union.
6.3. When providing services or selling goods, fulfilling the requirements of the legal acts of the Republic of Lithuania, its obligations and duties, for internal administration purposes or based on valid interests of the Company and/or having legal grounds, the Company may obtain and/or transfer personal data of the Visitor to state, law enforcement institutions and other legal subjects, as well as third parties, e.g. leasing, credit, insurance, transfer, courier, legal services, etc. companies, partners or service providers, also if necessary to protect the rights of the Company and transfer data to courts, persons participating in debt recovery procedures, bailiffs or just fulfilling the duties prescribed by the laws.
6.4. To ensure the services provided on the Website, the personal data of Visitors shall be transferred to the following data processors:
  • 6.4.1. UAB „200mi“;
  • 6.4.2. UAB „Ekostream“.
  • 6.4.3 UAB „“Kirotech“.
6.5. The Company shall use only processors providing sufficient guarantees to implement technical and organizational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the Visitors as data subjects.
6.6. The Company notes that the processors mentioned above shall have the right to process personal data of Visitors only in accordance with the instructions of the Company.
7. HOW LONG WILL THE PERSONAL DATA BE STORED?
7.1. Personal data of Visitors will be stored for the duration of cooperation and for the time necessary for the fulfillment and administration of the agreement or Website services (sale – purchase), and after that time for the duration that the storage of personal data is obligatory to the Company under the procedure established by the legal acts of the Republic of Lithuania. Storage periods for different personal data according to different data processing purposes may vary from 1 to 50 years, and in cases the duration is not prescribed by legal acts, the Company shall store different personal data for different durations taking into account the purposes of processing and real legal grounds, e.g.:
  • 7.1.1. for processing and administration of services and/or purchase of goods, administration of accounting documents in relation to order of services or goods storage duration is 50 years (Order No. V-100 of 09/03/2011 of the Chief Archivist of Lithuania);
  • 7.1.2. for persons who gave their consent to the use of their personal data for direct marketing and who did not object to such processing of personal data at the moment of collection of data, until the consent is withdrawn or until expiry of the purpose for which the consent was given;
  • 7.1.3. for the duration of submission or materials to court or resolution of disputes, data shall be stored under legal acts regulating duration of data storage, and in case of an event, dispute, investigation, court proceedings, etc. from the beginning of the event and for 1 year after the conclusion of the investigation and/or final court ruling or final decision of respective institutions;
  • 7.1.4. access data for the Website constantly, while the Visitor uses the Website and 3 years after last access;
  • 7.1.5. data related to communication shall be stored until the end of communication or 2 years after the last instance of communication;  
  • 7.1.6. contact data shall be stored constantly for the duration of provision of services or precontract communication and 2 years after provision of services or failure to conclude an agreement, etc.
7.2. In order to learn the desired information, please contact us at the contacts and/or address specified in paragraph 1.1. of the present Data protection policy.

SECTION II. MARKETING

8. PROCESSING OF PERSONAL DATA FOR PURPOSES OF DIRECT MARKETING.
8.1. Without a separate consent of the Visitor, the Company can use the contact data of the Visitor for sending messages or reminders by mail, e-mail, telephone or SMS, when such messages are related to the conclusion of the agreement, including actions before the conclusion of the agreement, provided services and/or to ensure legal obligations of the Company and similar purposes (which are not ascribed to direct marketing purposes).
8.2. The Company may carry out the following actions for Direct marketing purposes (only with an advance consent of the Visitor):
  • 8.3.1. send newsletters for loyalty programs;
  • 8.3.2. provision of discount (loyalty) cards, accounting of discounts, administration of cards, information of persons holding loyalty cards and having given consent to data processing by mail, e-mail, telephone or SMS about news and promotions;
  • 8.3.3. organization and implementation of direct marketing, games, lotteries, opinion polls, quizzes, competitions, promotions, statistics, questionnaires, voting and similar actions;
  • 8.3.4. ensure participation of the person in buyer loyalty (discount) program, direct marketing to the extent it is related to the loyalty (discount) program;
  • 8.3.5. for business analytics and statistics analysis, general research to improve services and their quality
8.4. The Company may request consent to process the following personal data for direct marketing purposes specified in paragraph 8.3.: name, surname, address, e-mail, telephone.
8.5. Having obtained the consent of the Visitor processing and storage periods for personal data processed for direct marketing purposes may be:
  • 8.5.1. for Visitors who did not object or gave consent to such processing of personal data at the moment of collection, for the duration of the direct marketing program (purpose for which the consent was given), upon expiry of the program the data shall be stored for 1 year;
  • 8.5.2. for the duration the Visitor uses the discount card. After the last use of the card, the data shall be stored for 3 years;
  • 8.5.3. until the consent is withdrawn. The consent may be withdrawn as specified in paragraph 18 of the Data protection policy
9. COOKIES.
9.1. Cookies are used to provide the Visitors with a more comfortable and effective way of browsing the Website.
9.2. What are cookies? Cookies are small text files, stored in the browser of the device (e.g. computer, mobile phone, tablet) of the Visitor of the Website, when the Website visitor browses the Website. Cookies are used widely for increase the performance of websites. All mentioned technologies are called ‘cookies’ in the present policy.
9.3. Why are cookies used? To ensure that the Website visitor is provided with full value Website services and increase the performance of the website, Cookies are stored in the computer (device) of the Visitor. The stored information is used by the Company to recognize the Visitor as a previous visitor to the website, collection of information on provided services and/or purchases, statistics on visits to the Website, etc. Cookies help to ensure proper performance of the Website; ensure that the Visitor does not need to log in on every visit to the Website (if the log in function is used); help save the settings of the Visitor chosen during the visit; increase the speed and safety of the performance of the Website; provide the Visitors with the option of sharing websites on social networks; ensure the ability of the Visitor to adapt the Website to own needs; ensure faster search for information on the Website; help improve the Website for it to be more attractive to Visitors; help to improve marketing.
9.4. What are the types of cookies?
  • 9.4.1. Strictly necessary cookies. Such cookies are necessary for the user to be able to browse and use the functions of the website. You can change the settings on your browser to block or inform about such cookies, however in certain cases some content or functions of the website may not operate and the performance will not be as smooth as it should be. Such cookies do not collect any information for marketing purposes and does not remember what websites the visitor visited.
  • 9.4.2. Analytical cookies. Such cookies calculated visits and visitor flow sources to be able to measure and improve performance of the website. E.g. analytical cookies can show which website are visited most often, help register problems on the website and show whether the ads on the website are effective. Analytical cookies do not collect personal information of users and all such information collected by such cookies is anonymous and generalized.
  • 9.4.3. Functional cookies. Such cookies allow improvements to functionality and personalization, for example, they make the format and form of the provided content more effective, set font size or positions of website elements. Functional cookies do not track the actions of visitors on any websites. If the visitor objects to the use of such cookies, certain or all said functions cannot be properly used.
  • 9.4.4. Targeting or advertising cookies. Targeting or advertising cookies are used to show the Website visitor advertisements that are more interesting and match his interests or to limit the number of displays of the same advertisement on the website. Cookies of this type are also used to evaluate the efficiency of a promotion campaign. Such cookies can be used to track what the visitor looked at on the website.
10. SVETAINĖJE NAUDOJAMI SLAPUKAI.
11. HOW CAN I MANAGE COOKIES?
11.1. Strictly necessary cookies are a mandatory condition to the use of the Website of the Company. If you object to such cookies, the Company cannot ensure functionality of the Website.
11.2. The Website visitor can control the use of functional, targeting or advertising cookies by changing the settings of Website cookies or the used browser. Most browsers allow:
  • 11.2.1. checking what cookies are set and deleting individual cookies;
  • 11.2.2. blocking third party cookies;
  • 11.2.3. blocking cookies from specific websites;
  • 11.2.4. blocking sending of all cookies;
  • 11.2.5. deleting all cookies upon closing the browser
11.3. You can check how to clear cache and cookies by clicking on this link: https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=lt
11.4. Please be aware that if you clear cookies or disable the use of cookies in the future, the Website may not operate properly or not operate at all. Due to this, the Company does not recommend disabling cookies when using the Website.
12. LINKS ON THE WEBSITE.
12.1. The Website may provide links to third party websites, legal acts, social networks, etc. Please note that third party websites links to which are provided on the website are subject to the Privacy policies of those websites and the Company does not accept any liability for the information content of such websites, their operation as well as provisions of their Privacy policies.
12.2. By clicking on social network Facebook, Instagram, YouTube, etc. links on the Website where the Company administers its accounts, you can also encounter cookies that are administered by the managers of social networks. Some data collected by such cookies may be transferred to the Company.

SECTION III. RIGHTS OF DATA SUBJECTS

13. THE RIGHT OF THE DATA SUBJECT TO ACCESS DATA AND LEARN HOW THEY ARE PROCESSED.
13.1. Upon presenting an identifying document to the controller or processor or confirming his identity under the procedure established by the laws or by electronic means allowing identification of the person, the data subject shall have the right to obtain confirmation from the controller whether his personal data are processed and if such personal data are processed, he shall have the right to access his personal data, learn from what sources and what personal data have been collected, for what purposes they are being processed, what data recipients are being provided and have been provided with them during the last year. When personal data are transferred to a third country, the data subject shall have the right to be informed about suitable protection measures in relation to the data transfer. If requested, the controller shall make available a copy of the processed personal data free of charge once a calendar year. The controller may charge a fee for any other copies requested by the data subject established according to administrative costs. When a data subject submits a request by electronic means and except for cases when the data subject requests to provide it in a different format, the information shall be provided in electronic form.
14. THE RIGHT OF THE DATA SUBJECT TO RECTIFY INACCURATE DATA.
14.1. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
15. RIGHT TO ERASURE ('RIGHT TO BE FORGOTTEN').
15.1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
  • 15.1.1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • 15.1.2. the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • 15.1.3. the data subject objects to the processing pursuant to Article 21 of the Regulation;
  • 15.1.4. the personal data have been unlawfully processed;
  • 15.1.5. the personal data have been collected when the data subject was younger than 16 years of age and the data of a minor were collected without the consent of a parent or guardian.
15.2. However these rights shall not exercised to the extent that processing is necessary:
  • 15.2.1. for exercising the right of freedom of expression and information;
  • 15.2.2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • 15.2.3. for reasons of public interest in the area of public health;
  • 15.2.4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • 15.2.5. for the establishment, exercise or defense of legal claims.
16. THE RIGHT TO RESTRICTION OF PROCESSING.
16.1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
  • 16.1.1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • 16.1.2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • 16.1.3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
  • 16.1.4. the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
17. THE RIGHT TO DATA PORTABILITY.
17.1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
  • 17.1.1. the processing is based on consent;
  • 17.1.2. the processing is carried out by automated means.
17.2. The right shall not adversely affect the rights and freedoms of others
17.3. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
17.4. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
18. THE RIGHT TO OBJECT AND WITHDRAW CONSENT TO PROCESSING.
18.1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedom of the data subject or for the establishment, exercise or defense of legal claims.
18.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
18.3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
18.4. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
18.5. N.B. The objection of the Visitor to processing of data may restrict or fully terminate his ability to use the services of the Website, where the Company will be unable to provide services or obligations without the data of the Visitor. However where the processing of the data of the Visitor is suspended with respect to direct marketing purposes, the Visitor will be able to continue to use the services of the Company, but will not be able to receive messages on discounts, etc. in relation to direct marketing.
19. THE RIGHT TO DEMAND NOT TO BE SUBJECT TO A DECISION BASED SOLELY ON AUTOMATED PROCESSING, INCLUDING PROFILING.
19.1. In the following cases the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling and for the said decision to be reviewed:
  • 19.1.1. where the Company bases decisions solely on automated processing.
  • 19.1.2. If the data subject requests a review of the decision based on automated processing, the controller shall carry out a detailed assessment of all important data, including the information provided by the data subject, which is carried out by a person authorized to change the decision by the controller.
20. THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
20.1. Data processing and protection in the Republic of Lithuania is supervised and controlled by the State Data Protection Inspectorate (SDPI). If you think that the Company violated your rights to processing, you have the right to turn to SDPI by tel. or e-mail: +370 85 279 1445 or e-mail: ada@ada.lt.
21. SUBMITTING A REQUEST TO EXERCISE THE RIGHTS OF THE DATA SUBJECT
21.1. The data subject shall have the right to request to exercise the rights of the data subject orally or in writing, submitting the request in person or by electronic means. If you want to exercise your rights, an employee of the Company will provide you with a document form, where you will specify your request concerning data processing in the Company. You will be informed about the decision within 30 calendar days.
21.2. You can contact the Company concerning exercising the rights of the data subject at the contacts and/or address specified in paragraph 1.1. of the present Privacy policy.
21.3. If the data subject requests to exercise the rights orally or submits the request in writing in person, the data subject shall confirm his identity by presenting an identifying document. If this is not done, the rights of the data subject may not be exercised. The provision shall not apply where the data subject request information on data processing pursuant to Articles 13 and 14 of Regulation (EU) 2016/679.
21.4. If the request to exercise the rights of the data subject is submitted in writing, by submitting the request by mail, then the request shall be accompanied by a notarized copy of an identifying document. Where the request is submitted by electronic means, it shall be signed by a qualified electronic signature or made by electronic means ensuring integrity and irreplaceability of the text. The provision shall not apply where the data subject request information on data processing pursuant to Articles 13 and 14 of Regulation (EU) 2016/679.
21.5. The request to exercise the rights of the data subject shall be legible, signed by the person, it shall state the name, surname, address and/or other contact data of the data subject for communication or at which the decision on exercising of the rights of the data subject is expected.
21.6. The data subject may exercise his rights personally or through a proxy.
21.7. A proxy shall state his name, surname, address and/or other contact data for communication, where the proxy wants to receive the answer, as well as the name, surname, personal number, identification number according to the controller identification system (if such is used), address of the principal, as well as other data necessary for the identification of the data subject and provide a document confirming representation.
21.8. . If there are doubts concerning the identity of the data subject, the controller shall request additional information necessary to prove it.
21.9. Scanned copies of signed requests or complains submitted by e-mail, not signed by a qualified electronic signature, shall not meet the requirements set by legal acts. Such submission of the request may hinder accepting your request, therefore if you do not have a qualified electronic signature, please submit the request in person or by mail under the conditions above.
21.10. Requests concerning exercising rights under GDPR shall be analyzed within 1 month. Taking into account the complexity of the request and the number of received requests, this term may be extended for 2 months, individually informing the applicant and stating the reasons for extending the term.
21.11. Form for exercising the rights of the data subject can be downloaded here
22. ANALYSIS OF THE REQUEST TO EXERCISE THE RIGHTS OF THE DATA SUBJECT
22.1. Upon receipt of the request of the data subject, within a month from the receipt of the request, the data subject shall be provided information about the actions taken under the request. In case of delay on provision of information, within the specified term the data subject shall be informed about the reasons for the delay and the option to lodge a complaint to the State Data Protection Inspectorate. When the data subject submits the request by electronic means, information shall be sent to him, if possible, by electronic means, except for cases when the data subject requests otherwise.
22.2. If the request is submitted in violation of the procedure and requirements established by Section IX of the Rules, it shall not be analyzed and without undue delay but not later than within 14 business days the data subject shall be informed about it stating the reasons.
22.3. If during the analysis of the request, it is determined that the rights of the data subject are restricted on grounds specified in Article 23(1) of Regulation (EU) 2016/679, the data subject shall be informed about it.
22.4. Information on the request of the data subject concerning exercising of rights shall be provided in the state language.
22.5. All actions according to the request of the data subject to exercise the rights of the data subject shall be carried out and information is provided free of charge.
22.6. The data subject may lodge complaints with the State Data Protection Inspectorate, A. Juozapavičius g. 6, Vilnius, e-mail ada@ada.lt, website https://vdai.lrv.lt, as well as courts of the Republic of Lithuania concerning the actions or inaction of the Company in relation to exercising the rights of the data subject personally or through a proxy, or by a non-profit organization or association authorized by him and meeting the requirements of Article 80 of Regulation (EU) 2016/679.
22.7. If material or non-material damages are incurred due to violation of the rights of the data subject, the data subject shall have the right to compensation which can be awarded by the courts of the Republic of Lithuania

SECTION IV. FINAL PROVISIONS

22. The present Privacy policy is reviewed and updated at least once a year or in the event of amendment of legal acts regulating processing of personal data.
23. The Company, its employees, associated or authorized persons, as well as Website visitors shall follow the terms and conditions as well as obligations specified in the Privacy policy and adhere to the principles set by the Privacy policy when performing their functions.
24. The Company shall have the right to partially or fully amend the rules of the present Privacy policy. You will be informed about the changes when we publish the updated version of the Policy on the Website
Last updated: 15/12/2020

Want to take care of your health?

Choose the program that is best suited for you, book a room and come to us.