1. GENERAL PROVISIONS
1.1. UAB “Agroteka” (hereinafter referred to as the “Company”), company code 300625738, Perspektyvos g. 32, LT-52104, Kaunas, e-mail agroteka@agroteka.lt, tel. no.: +370 37 430181, data protection officer tel. no. +370 608 49799, respecting the right to privacy of interested parties, buyers or simply visitors (hereinafter referred to as the “Visitor”(s)) of the website www.agroteka.lt (hereinafter referred to as the “Website”), undertakes to ensure the protection of their personal data and the protection of their rights as data subjects.
1.2. This Privacy Policy regulates the principles and procedure for processing the personal data of the Company's Visitors when using the services of the Company's Website or purchasing goods on the Website, thereby providing the Company with their personal data. Visitors agree to the provisions of this Privacy Policy, except for data processing actions that will require the Visitor's separate consent and which the Company will request when necessary.
1.3. Visitors can familiarize themselves with the Privacy Policy of the Website by clicking on "Privacy Policy" in the Website menu. If a Visitor objects to the Privacy Policy and/or does not agree with the privacy and/or processing of Personal data on the Website, or simply has not familiarized himself with the Privacy Policy of the Website, he/she may not continue to use the Website, and if he/she continues to use it, he/she acts at his/her own risk and responsibility, and may not make any claims related to the privacy and/or processing of Personal data on the Website.
1.4. When visiting the Website, visitors can agree or disagree with the cookies used on the Website (except for strictly necessary cookies, if any) by clicking the appropriate button in the pop-up cookie bar ("I agree"), and learn more about cookies and their management in the Privacy Policy.
1.5. When concluding a contract with the Client or providing services not through this Website, the Company has the right to establish additional personal data processing purposes and conditions than the data processing purposes carried out through this Website and which are not informed about in this Privacy Policy. To learn more about the processing of personal data in the Company, please inquire or visit our Company at the contacts or address specified in paragraph 1.1.
1.6. When processing Visitors' personal data, the Company complies with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "Regulation (EU) 2016/679"), the Law of the Republic of Lithuania on the Legal Protection of Personal Data (hereinafter referred to as "PDPL"), the Law of the Republic of Lithuania on Electronic Communications (ELC) and other legal acts regulating the protection of personal data.
1.7. The Company may, at its discretion, change the terms of this Data Protection Policy by publishing relevant information on the Website.
2. TERMS USED IN THE PRIVACY POLICY
2.1. Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data and an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.2. Data subject – a natural person – a client of the Company, a visitor to the Website, etc., whose personal data is collected by the Company.
2.3. Consent of the data subject means any freely given, specific and unambiguous indication of the data subject's wishes, by which he or she, by a statement or by a clear action, signifies agreement to the processing of personal data relating to him or her.
2.4. Data processing – any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination with other data, restriction, erasure or destruction.
2.5. Restriction of data processing – marking of stored personal data in order to restrict their processing in the future.
2.6. Data controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of data processing.
2.7. Data Processor – a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller. Employees of the Company are not considered data processors.
2.8. A cookie is a small piece of text information that is automatically created when browsing the Website and is stored on the visitor's computer or other device.
2.9. Direct marketing – an activity intended to offer goods or services to individuals by mail, telephone or other direct means and/or to ask for their opinion on the goods or services offered.
3. WHAT PERSONAL DATA IS COLLECTED ON THE WEBSITE?
3.1. The Company collects and further processes the following personal data of Visitors, which the Visitors themselves provide when visiting, registering, inquiring, submitting their complaints and (or) requests: name, surname, e-mail address, telephone number, data related to the order, sale and payment of goods or services, correspondence by e-mail, information related to discounts granted to the buyer, information about consent and disagreement with the processing of personal data for direct marketing purposes and other information the content of which the Company cannot predict and which the Visitor has provided on his/her own initiative in an e-mail or in the Website notification form when registering, ordering services and/or purchasing goods, inquiring and/or notifying.
3.2. The Website uses cookies, the choice of which can be determined by the Website visitors (except for strictly mandatory cookies) and which automatically collect personal data provided indirectly by the Visitors (during browsing, submitting requests, etc.). This is data that is automatically collected from the computers and/or mobile devices used by the Visitors upon connecting to the Website, e.g.: times, the browser used by the user and its version, websites visited by the Visitors before accessing the Company's Website, data on the use of services, etc. This data is processed by cookie managers (e.g. Google Analytics) and the Company is not responsible for and does not monitor their storage terms.
3.3. More information about personal data that Visitors indirectly provide when visiting the Website can be found in sections 9, 10 and 11 of this Data Protection Policy on cookies.
3.4. When using the services provided by the Website, the Visitor assumes full responsibility for the correctness and accuracy of the data provided.
3.5. If the Visitor does not provide personal data necessary for concluding and executing the contract, providing the Website services, etc. or provides incorrect data, the Company will not be able to conclude a contract with the Visitor and/or fulfill its terms, or will no longer be able to provide the Visitor with the services provided on the Website or in general, or simply properly inform the Visitor.
3.6. If your personal data or other related information specified on the Website changes, the Visitor undertakes to change and/or supplement the personal data or other related information provided by him/her within 10 (ten) working days.
3.7. In individual cases, the Website Administrator has the right to request clarification and/or supplement the Visitor's personal data or other related information, if it is necessary for the provision of Website services, the Company's obligations or the performance of the contract.
3.8. If a separate Visitor account is created on the Website, the Visitor is responsible for the confidentiality of his/her login passwords, as well as for any actions performed on the Website after logging in using the Visitor's login details. The Visitor may not disclose the login details to third parties. Upon learning or suspecting that the Visitor's login details have become known or may become known to third parties, the Visitor must immediately inform the Website administrator using the contacts specified in clause 1.1. and change the login details. In the event that the Website administrator is not informed about this, when a third person who logs in to the Website using your login details uses the Website services, we will assume that you have logged in.
4. FOR WHAT PURPOSES AND BASES ARE PERSONAL DATA COLLECTED AND PROCESSED?
4.1. The Company processes the Visitor's personal data on a legal basis and/or a justified and legitimate interest that does not violate the Visitor's interests, rights and freedoms.
4.2. The Company processes personal data for the following data processing purposes:
4.2.1. For the purpose of identifying the Visitor on the Website;
4.2.2. For the purposes of identifying the visitor and processing and administering the purchase of services and/or goods;
4.2.3. for the purposes of communication, including correspondence with the Website Visitor;
4.2.4. and others. for purposes related to the Company's legal obligations and liabilities.
4.3. Personal data is processed on the legal basis of Regulation (EU) 2016/679:
4.3.1. Article 6(1)(b), i.e. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
4.4. If the Company wishes to use the Visitor's data for other purposes for which it has no contractual or other legal basis, the Company will request the Visitor's consent. With the Visitor's consent (which the Visitor may withdraw at any time), the Company will use the data only for the implementation of a specific purpose, for example, as specified in the Direct Marketing section.
5. HOW IS VISITORS' PERSONAL DATA PROCESSED?
5.1. The Company ensures that the personal data of Visitors will be:
5.1.1. processed lawfully, fairly and transparently;
5.1.2. collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
5.1.3. adequate, relevant and only those necessary to achieve the aforementioned purposes for which they are processed;
5.1.4. accurate and, where necessary, updated;
5.1.5. processed in such a way that appropriate technical and organizational measures ensure adequate security of personal data, including protection against unauthorized or unlawful processing of Data and against accidental loss, destruction or damage.
6. WHO IS THE PERSONAL DATA OF VISITORS PROVIDED TO?
6.1. The Company's employees and authorized persons are granted access to the Visitor's personal data only for the performance of official functions in accordance with the Employee's duties and role in the Company.
6.2. All recipients of data to whom the Company transfers (or, if necessary, will transfer) personal data are obliged (or will be obliged) by law or by signature to keep confidential information. Without the Visitor's consent or request, the Company will not transfer personal data to other persons not specified in these terms, except in cases where the Company is obliged to do so in accordance with the procedure provided for by the legal acts of the Republic of Lithuania or the European Union.
6.3. The Company, when providing services or selling goods through this Website, fulfilling the requirements of the legal acts of the Republic of Lithuania, its obligations and liabilities, for internal administration purposes or based on the Company's legitimate interest and/or on a legal basis, may receive and/or transfer the Visitor's personal data to the state, law enforcement institutions and other legal entities, as well as to third parties, such as leasing, credit, insurance, transportation, courier, legal services, etc. companies, partners or service providers, as well as if it is necessary to protect the Company's rights and transfer data to law enforcement institutions, persons participating in debt collection procedures, bailiffs or simply in fulfilling the obligations assigned to the Company by law.
7. HOW LONG IS PERSONAL DATA STORED?
7.1. Visitors' personal data are stored for the entire period of cooperation and for as long as they are necessary for the performance and administration of the contract or Website services (purchase - sale), and then for as long as the storage of personal data is mandatory for the Company in accordance with the procedure established by the legal acts of the Republic of Lithuania. In cases where legal acts do not establish terms, the Company stores different personal data for different terms, taking into account the purposes of data processing and the actual legal bases of the Company. The storage periods of different Personal Data according to different data processing purposes can be from 1 to 50 years, for example:
7.1.1. Data on the purchase and sale of services and/or goods provided, including for the administration of accounting documents, are stored for 10 years (Order No. V-100 of the Chief Archivist of Lithuania of 09 March 2011);
7.1.2. persons who have given consent to the processing of their personal data for direct marketing purposes and who did not object to the processing of such personal data at the time of data collection - until the consent is withdrawn or after the purpose for which the consent was given expires, stored for 1 year (whichever comes first);
7.1.3. during the submission of evidence to the court or the examination of disputes, the data is stored in accordance with the legal acts regulating data storage periods, and in the event of an incident, dispute, investigation, legal proceedings, etc. from the beginning of the incident and 1 year after the end of the investigation and/or the adoption of the final decision of the court or the final decision of the relevant institutions;
7.1.4. login details to the Website continuously, while the Visitor uses the Website, and for 3 years after ceasing to use it;
7.1.5. data related to communication are stored until the end of the communication, or for 2 years from the last moment of communication;
7.1.6. contact data is stored continuously while services are provided or pre-contractual communication is taking place, and for 2 years after the end of the provision of services or if a service contract is not concluded, etc.
7.2. In order to obtain the exact information you are interested in, you can contact us at the contacts and/or address specified in clause 1.1 of this Data Protection Policy.
CHAPTER II. MARKETING
8. PROCESSING OF PERSONAL DATA FOR DIRECT MARKETING PURPOSES
8.1. Without the separate consent of the Visitor, the Company may use the Visitor's contact details to send messages or reminders by post, e-mail, telephone or SMS message, when these messages are related to the conclusion of a contract, including actions prior to the conclusion of a contract, the services provided and/or the Company's legal obligations and/or liabilities and for similar purposes (which are not classified as direct marketing purposes).
8.2. The Company may use the Visitor's personal data for Direct Marketing purposes, as well as to inquire about the quality of existing services or goods by mail, e-mail, telephone or SMS message, only with the Visitor's prior consent and in accordance with Article 6(1)(a) of Regulation (EU) 2016/679, i.e. the data subject has given consent to their personal data being processed for one or more specific purposes, and the provisions of the Law on Electronic Communications of the Republic of Lithuania. Under such conditions, personal data may be used for the following purposes:
8.3.1. for the purposes of sending newsletters;
8.3.2. for the purposes of organizing and conducting direct marketing, games, lotteries, surveys, quizzes, competitions, promotions, statistical questionnaires, voting and similar actions;
8.3.3. Ensuring the visitor's participation in the customer loyalty (discount) program, for the purposes of carrying out direct marketing, as far as it is related to the loyalty (discount) program;
8.3.4. for the purposes of business analytics and statistical analysis, general research that allows for the improvement of services and their quality.
8.4. The Company may request permission to process the following personal data for the purposes of direct marketing specified in clause 8.2: name, surname, e-mail address, telephone number.
8.5. With the Visitor's consent, the processing and storage periods for personal data processed for direct marketing purposes are as follows (whichever comes first):
8.5.1. Visitors who did not object and/or consented to such processing of personal data during data collection – while the direct marketing program (the purpose for which consent was given) continues, after its termination, the data is stored for 1 year;
8.5.2. while the Visitor uses the discount card. After the last use of the card, the data is stored for 3 years;
8.5.3. until consent is withdrawn. Consent may be withdrawn under the conditions specified in clause 18 of the Data Protection Policy.
9. COOKIES
9.1. In order to ensure that Visitors can browse the Website more conveniently and efficiently, the Website uses Cookies.
9.2. What are cookies? Cookies are small text files stored in the browser of a Website visitor's device (e.g. computer, mobile phone, tablet) when the Website visitor browses websites. Cookies are widely used to make websites work or function better and more efficiently. In this policy, all of the aforementioned technologies are referred to as "cookies".
9.3. Why are cookies used? In order to provide the Website visitor with full-fledged website services and to ensure that the visitor can browse the website more conveniently and efficiently, Cookies are stored on the visitor's computer (device). The Company uses the stored information to recognize the visitor as a previous visitor to the website, to store information about the services provided and/or purchases, to collect website traffic statistics, etc. Cookies help ensure that the website functions as it should; ensure that the visitor does not have to log in again each time he visits the website (if the login function is used); help save the visitor's settings selected during the visit; increase the speed and security of the website; provide visitors with the opportunity to share pages on social networks; ensure the visitor's ability to customize the website to their needs; ensure faster information search on the website; help improve the website to make it even more attractive to visitors; help apply more effective marketing.
9.4. What are the types of cookies?
9.4.1. Strictly Necessary Cookies. These cookies are essential for the user to navigate and use the website's features. You can set your browser to block or notify you about these cookies, but in this case some areas or features of the website may not work and the website may not function as smoothly as it should. These cookies do not collect any information for marketing purposes and do not remember where the visitor has visited on the internet.
9.4.2. Analytical cookies. These cookies allow us to count visits and sources of visitor traffic in order to measure and improve the performance of the website. For example, analytical cookies can show which pages are visited most often, help to record failures on the website and show whether advertising displayed on the website is effective. Analytical cookies do not collect personal information about users and all information collected by these cookies is aggregated and anonymous.
9.4.3. Functional cookies. These cookies provide the opportunity to improve functionality and personalization, for example, they optimize the format and form of the presented content, determine the font size or the positions of website elements. Functional cookies do not track the visitor's actions on other websites. If the visitor does not allow these cookies to function, some or all of the above-mentioned functions will not be able to function properly.
9.4.4. Targeting or advertising cookies. Targeting or advertising cookies are used to show the Site visitor more interesting and relevant advertising, or to limit the number of times the same advertisement is displayed on the Site. This type of cookie is also used to measure the effectiveness of an advertising campaign. These cookies can be used to remember what the visitor looked at when visiting the Site.
10. COOKIES USED ON THE SITE
|
COOKIE
|
COOKIE NAME
|
PURPOSE OF DATA PROCESSING
|
MOMENT OF CREATION
|
VALIDITY PERIOD
|
DATA USED
|
||
|
The Google Analytics cookie collects information about user behavior on the website and is used to store statistical information.
|
_ga
|
Analytical cookies
|
During page entry
|
2 years
|
Unique identifier
|
||
|
Cookies are used to collect information about visitors' browsing habits. The information is used to create reports and improve the website. The information is collected in an anonymous form, including the number of visitors, where visitors came from, and which pages they visited.
|
_utma
|
Analytical cookies
|
During page entry
|
2 years
|
Unique identifier
|
||
|
Google Analytics Cookie is used to collect statistical information about website traffic.
|
_utmb
|
Analytical cookies
|
During page entry
|
30 minutes
|
Unique identifier
|
||
|
Google Analytics Cookie is used to collect statistical information about website traffic.
|
_utmc
|
Analytical cookies
|
During page entry
|
30 minutes
|
Unique identifier
|
||
|
Google Analytics Cookie is used to collect statistical information about website traffic.
|
_utmz
|
Analytical cookies
|
During page entry
|
6 months
|
Unique identifier
|
||
|
The cookie is used to collect statistical information about website traffic.
|
_guide
|
Analytical cookies
|
During page entry
|
24 hours
|
Unique identifier
|
||
|
A cookie that allows the Facebook social network to display advertising.
|
fr
|
|
During page entry
|
3 months
|
Unique identifier
|
||
|
These cookies are used to collect website statistics and track conversion rates.
|
1P_JAR
|
Analytical cookies
|
During page entry
|
3 months
|
Unique identifier
|
||
|
Used to link your activity across devices if you're previously signed in to your Google Account on another device.
|
AED
|
Analytical cookies
|
During page entry
|
2 years
|
Unique identifier
|
||
| A series of cookies starting with _hj characters is used by the HotJar tool to improve the user's browsing experience on the website. | _hj | Analytics cookies | During page entry | 1 year | Unique identifier | ||
|
The cookie is used to associate visiting users with Facebook advertising.
|
_fbp
|
Analytical cookies
|
During page entry
|
30 minutes
|
Unique identifier
|
||
|
MailerLite newsletter subscription display cookie
|
mailerlite:webform:shown
|
Functional
|
During page entry
|
2 years
|
Unique identifier
|
11. HOW CAN I CONTROL COOKIES?
11.1. Strictly necessary cookies are a mandatory condition for using the Company's Website. If you refuse these cookies, the Company will not be able to ensure the functionality of the Website.
11.2. The Website visitor can control the use of functional, targeting or advertising cookies by changing the settings of the Website's cookies or the browser used and deleting cookies. In most browsers it is possible to:
11.2.1. check which cookies are stored and delete individual cookies;
11.2.2. block third-party cookies;
11.2.3. block cookies from specific websites;
11.2.4. block the sending of all cookies;
11.2.5. delete all cookies when closing the browser.
11.3. You can view the options for clearing the cache and cookies by clicking on the following links: https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=lt or https://tools.google.com/dlpage/gaoptout
11.4. Please note that deleting cookies or disabling the use of cookies in the future may result in the Website not functioning properly or not functioning at all. For these reasons, the Company does not recommend disabling cookies when using the Website.
12. LINKS PROVIDED ON THE SITE
12.1. The Website may contain links to third-party websites, legal acts, social networks, etc. sources. It should be noted that the third-party websites linked to on the Website are subject to the Privacy Policies of these websites and the Company does not assume responsibility for the content of the information provided by these websites, their activities and the provisions of their Privacy Policies.
12.2. By clicking on the links on the Website to social networks Facebook, Instagram, YouTube, etc., where the Company administers its accounts, cookies administered by the social network managers may also be used. Some of the data collected by these cookies may be transferred to the Company.
CHAPTER III. RIGHTS OF DATA SUBJECTS
RIGHT TO BE INFORMED (RIGHT TO RECEIVE INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA)
13. Content and conditions of implementation of the right to be informed:
13.1. When personal data is collected from a data subject, the Data Controller, at the time of receiving the personal data, provides the data subject with the information required by law regarding the processing of his or her personal data (including, but not limited to, information about the name of the Data Controller, the purpose of data processing, the rights of data subjects, the sources and recipients of the data, the basis and term of processing).
13.2. If the Data Controller intends to further process personal data for a purpose other than that for which the personal data were collected or obtained, the Data Controller shall provide the data subject with information about that other purpose and any other relevant additional information before such further processing.
13.3. The above obligation to provide information to the data subject when collecting personal data from the data subject himself does not apply if the data subject already has such information, and to the extent that he has such information.
13.4. When personal data is not obtained from the data subject, the Data Controller shall provide the data subject with the information required by law:
13.4.1. within a reasonable period of time from the receipt of the personal data, but no later than one month, taking into account the specific circumstances of the processing of personal data;
13.4.2. if the personal data will be used to maintain contact with the data subject - no later than the first time the data subject is contacted; or
13.4.3. if it is intended to disclose personal data to another data recipient - no later than when the data is disclosed for the first time.
13.5. Where personal data are not obtained from the data subject, the obligation to provide information to the data subject does not apply if and to the extent that:
13.5.1. the data subject already has the information;
13.5.2. the provision of such information is impossible or would involve a disproportionate effort, or if this obligation is likely to render impossible or significantly impair the achievement of the purposes of that processing. In such cases, the Data Controller shall take appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, including making the information public;
13.5.3. the receipt or disclosure of data is expressly provided for in the law of the European Union or the Republic of Lithuania, which applies to the Data Controller and which lays down appropriate measures to protect the legitimate interests of the data subject; or
13.5.4. when personal data must remain confidential in accordance with the obligation of professional secrecy regulated by the law of the European Union or the Republic of Lithuania, including the obligation to maintain secrecy established by the articles of association.
CHAPTER III
RIGHT TO ACCESS DATA
14. The data subject has the right to obtain from the Data Controller confirmation as to whether personal data relating to him or her are being processed, and if such personal data are being processed, has the right to access personal data and other information provided for in legal acts regarding the processing of his or her personal data. The Data Controller shall, upon request of the data subject, exercise the right to access his or her personal data by providing:
14.1. information whether the personal data of the data subject are being processed or not;
14.2. information related to the processing of personal data, as provided for in Article 15(1) and (2) of Regulation (EU) 2016/679, if the personal data of the data subject are processed;
14.3. a copy of the personal data being processed.
15. Upon request by the data subject, the Data Controller shall provide a copy of the personal data processed. For any other copies requested by the data subject, the Data Controller may charge a reasonable fee, determined in accordance with administrative costs. Where the data subject submits the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests it to be provided otherwise.
CHAPTER IV
RIGHT TO REQUEST CORRECTION OF DATA
16. The data subject shall have the right, pursuant to Article 16 of Regulation (EU) 2016/679, to obtain from the Data Controller the rectification of inaccurate personal data concerning him or her without undue delay.
17. Taking into account the purposes for which the data were processed, the data subject also has the right to request that incomplete personal data be completed, including by submitting a supplementary statement.
18. In order to verify that the personal data of the data subject being processed are inaccurate or incomplete, the Data Controller may request the data subject to provide supporting evidence.
19. If the personal data of the data subject (corrected at the request of the data subject) have been transferred to data recipients, the Data Controller shall inform these data recipients thereof, unless this proves impossible or would involve disproportionate effort. The data subject shall have the right to request information about such data recipients.
CHAPTER V
RIGHT TO REQUEST DELETEMENT OF DATA (“RIGHT TO BE FORGOTTEN”)
20. The right of the data subject to erasure of his or her personal data (the "right to be forgotten") shall be exercised in the cases provided for in Article 17 of Regulation (EU) 2016/679. The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
20.1. when the data controller processes personal data (name, surname, telephone number, e-mail address) for the purpose of direct marketing in accordance with Article 8(1) of Regulation (EU) 2016/679;
20.2. when the data controller processes personal data (IP address, data collected using website cookies, etc.) for the purpose of administering the website;
20.3. the personal data are no longer necessary to achieve the purposes for which they were collected or otherwise processed;
20.4. the data subject withdraws the consent on which the data processing is based and there is no other legal basis for processing the data;
20.5. the data subject does not consent to the processing of the data and there are no overriding legitimate reasons for processing the data;
20.6. personal data was processed unlawfully;
20.7. personal data must be deleted in accordance with a legal obligation established by EU or Republic of Lithuania law;
20.8. The data controller may refuse to exercise the right to be forgotten only on the grounds provided for in legal acts.
21. The data subject's right to request the erasure of personal data ("right to be forgotten") may not be exercised in the cases provided for in Article 17(3) of Regulation (EU) 2016/679 (in order to comply with a legal obligation established in laws and other legal acts requiring the processing of personal data for the performance of a task carried out in the public interest and for the establishment, exercise or defence of legal claims).
22. If the personal data of the data subject (deleted at the request of the data subject) have been transferred to recipients, the Data Controller shall inform these recipients thereof, unless this proves impossible or would involve a disproportionate effort. The data subject shall have the right to request information about such recipients.
CHAPTER VI
RIGHT TO RESTRICT DATA PROCESSING
23. The data subject has the right to request that the Data Controller restrict the processing of data in the cases provided for in Article 18(1) of Regulation 2016/679 where one of the following applies:
23.1. the data subject contests the accuracy of his or her personal data processed by the Data Controller. In such a case, the processing of the data subject's personal data may be restricted for a period during which the Data Controller verifies the accuracy of the personal data;
23.2. it is established that the personal data of the data subject have been processed unlawfully and the data subject does not request the erasure of the data and instead requests the restriction of their use;
23.3. if the purpose of processing personal data has been achieved and the Data Controller no longer needs the personal data collected to achieve this purpose, but the data subject needs them in order to assert, exercise or defend legal claims;
23.4. if the data subject does not consent to the processing of personal data relating to him or her pursuant to Article 21(1) of Regulation (EU) 2016/679, the processing may be restricted for a period during which the Data Controller verifies whether its legitimate grounds override those of the data subject;
23.5. if the data subject requests the erasure of his/her personal data processed by the Data Controller and it is determined that the request is justified, but there are no technical possibilities to erase the data subject's personal data. In such a case, the processing of the data subject's personal data may be restricted until the data subject's personal data are erased.
24. The data controller, having received the request of the data subject specified in paragraph 16 of the Description, shall assess whether the request submitted by the data subject is justified, no later than within 10 working days from the date of receipt of the request.
25. If it is determined that the request submitted by the data subject is justified, the Data Controller must:
25.1. restrict the processing of the data subject's personal data (in this case, personal data is only stored, no other data processing actions are performed):
25.1.1. in automated structured data sets, the processing of personal data shall be restricted by technical and organisational measures in such a way that the personal data shall not be further processed and shall no longer be subject to modification, transfer, etc., except for the cases specified in point 19. The processing of personal data shall be restricted by clearly marking it with appropriate labels;
25.1.2. to clearly mark manually processed personal data sets, all documents or their sets with appropriate labels, to restrict access to these documents or to transfer them to the archive until the processing restriction is lifted or further processing is necessary, in the cases specified in paragraph 19;
25.2. no later than 5 working days from the date of the decision to restrict data processing, inform the data subject about the restriction of the processing of his/her personal data. If possible, indicate the preliminary period during which the processing of the data subject's personal data will be restricted;
25.3. no later than 5 working days from the adoption of the decision to restrict data processing, inform the data recipients about the decision to restrict the processing of the data subject's personal data, if the data subject's personal data were provided to the data recipients. Informing the data recipients is not required when providing such information is impossible or excessively difficult (due to the large number of data subjects, the period of personal data storage, unreasonably high costs).
26. The data controller may perform processing operations, other than storage, of personal data whose processing is restricted, only with the consent of the data subject or for the establishment, exercise or defence of legal claims, or to protect the rights of another natural or legal person, or for important reasons of public interest.
27. When a decision is made to lift the restriction on processing the personal data of the data subject, the Data Controller must inform the data subject thereof before lifting the restriction.
CHAPTER VII
RIGHT TO DATA PORTABILITY
28. The Data Subject's right to data portability, as provided for in Article 20 of Regulation (EU) 2016/679, shall be exercised by the Data Controller only in respect of the personal data processed for the purposes set out below. The Data Subject shall have the right to receive from the Data Controller the personal data relating to him or her in a structured, commonly used and machine-readable format:
28.1. This right may be exercised by the data subject in cases where the processing of personal data is based on the consent of the data subject or on a contract concluded with the data subject, and also when the personal data are processed by automated means;
28.2. The right to data portability does not apply in cases where the processing of personal data is based on grounds other than consent or contract, in addition, when personal data are processed in structured files, for example, in paper files, and in cases where the processing of personal data is necessary for the data controller to comply with a legal obligation to which it is subject or to perform a task carried out in the public interest or in the exercise of public authority vested in the data controller.
29. In exercising his/her right to data portability, the data subject shall have the right to request that the Data Controller transmit his/her personal data directly to another data controller, where technically feasible. Upon the data subject's request for portability, his/her personal data shall not be automatically deleted. If the data subject so requests, he/she shall contact the data controller to exercise the right to erasure (the "right to be forgotten").
CHAPTER VIII
RIGHT TO OPPOSE DATA PROCESSING
30. The data subject shall have the right, in accordance with Article 21 of Regulation (EU) 2016/679, to object, on grounds relating to his or her particular case, at any time to the processing of personal data relating to him or her, where such processing is carried out in accordance with points (e) or (f) of Article 6(1) of the Regulation, including profiling.
31. The Data Controller shall exercise the data subject's right to object to the processing of personal data where the processing of personal data is based on the legitimate interests of the Data Controller or a third party.
32. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
33. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to personal data relating to him or her being processed for such marketing purposes, including profiling insofar as it is related to such direct marketing.
34. Where the data subject objects to the processing of data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
35. Where personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), the data subject shall have the right, on grounds relating to his or her particular case, to object to the processing of personal data relating to him or her, except where the processing is necessary for the performance of a task carried out for reasons of public interest.
36. If the data subject objects to the processing of personal data, such processing shall be carried out only if it is decided on a reasoned basis that the reasons for which the personal data are processed override the interests, rights and freedoms of the data subject, or if the personal data are necessary for the establishment, exercise or defence of legal claims. The Data Controller shall inform the data subject orally and/or in writing about the refusal to exercise the data subject's right to object to the processing of personal data. The written document shall be forwarded to the data subject by electronic means of communication or delivered to the data subject in person, with a receipt signed for.
CHAPTER IX
RIGHT TO REQUEST NOT TO BE SUBJECT TO A DECISION BASED SOLELY ON AUTOMATED DATA PROCESSING, INCLUDING PROFILING
37. In these cases, the data subject has the right to request that a decision based solely on automated data processing not be applied to him or her and that such a decision be reviewed:
37.1. when the Data Controller makes decisions based solely on automated data processing.
38. When a data subject requests a review of a decision based on automated data processing, the data controller must conduct a thorough assessment of all relevant data, including the information provided by the data subject, by a person within the data controller who has the appropriate authority and capacity to reverse the decision.
CHAPTER X
SUBMITTING A REQUEST TO EXERCISE DATA SUBJECT RIGHTS
39. The data subject has the right to apply for the implementation of the data subject's rights orally or in writing, by submitting a request in person, by mail or by electronic means:
39.1. address: Perspektyvos st. 32, LT-52104, Kaunas;
39.2. Tel. No.: +370 37 430181;
39.3. e-mail address: agroteka@agroteka.lt;
39.4. Data Protection Officer phone number: +370 608 49799;
40. If the exercise of the data subject's rights is requested orally or in writing in person, the data subject must confirm his or her identity by providing a personal identification document. Failure to do so shall result in the data subject's rights not being exercised. This provision shall not apply if the data subject requests information on the processing of personal data in accordance with Articles 13 and 14 of Regulation (EU) 2016/679.
41. If the exercise of the data subject's rights is requested in writing, by submitting a request by post, then a copy of the personal identification document certified by a notary must be submitted together with the request. When submitting a request by electronic means, the request must be signed with a qualified electronic signature or it must be formed by electronic means that allow ensuring the integrity and immutability of the text. This provision does not apply if the data subject requests information about the processing of personal data in accordance with Articles 13 and 14 of Regulation (EU) 2016/679.
42. The request to exercise the rights of the data subject must be legible with clearly expressed wishes, signed by the person, and must include the data subject's name, surname, personal identification number if necessary to establish the identity of the data subject, address and/or other contact details for maintaining contact or for receiving a response regarding the exercise of the data subject's rights.
43. The data subject may exercise his or her rights himself or herself or through a representative.
44. The representative of the person must indicate in the request his/her name, surname, address and/or other contact details for communication, by which the representative of the person wishes to receive a response, as well as the name, surname, personal code, identification number according to the data controller's identification system (if used), address and other data necessary for the identification of the data subject, and submit a document confirming the representation of the represented person.
45. In case of doubt regarding the identity of the data subject, the data controller shall request additional information necessary to verify it.
46. When applying in writing for the exercise of the data subject's rights, submit a request in the form specified in Annex 1 to the Rules.
47. For all issues related to the processing of the data subject's personal data and the exercise of their rights, the data subject has the right to contact the data protection officer by phone +370 608 49799 and by e-mail at info@novusnexus.lt. In order to ensure the confidentiality established in Article 38(5) of Regulation (EU) 2016/679, when contacting the data protection officer by mail, the subject line of the e-mail shall state that the letter is addressed to the data protection officer.
47.1. You can download the form for exercising the rights of the data subject by clicking here.
CHAPTER XI
EXAMINATION OF A REQUEST TO EXERCISE THE RIGHTS OF THE DATA SUBJECT
48. Upon receipt of a request from a data subject, the controller shall, without undue delay and in any event not later than one month from receipt of the request, provide the data subject with information on the action taken in response to the request in accordance with Articles 15 to 22. In the event of a delay in providing the information, the data subject shall be informed thereof within one month from receipt of the request, stating the reasons for the delay. That period may be extended by a further two months, where necessary, taking into account the complexity and number of requests.
49. Where the data subject submits a request by electronic means, the information shall also be provided to him, if possible, by electronic means, unless the data subject requests it to be provided otherwise.
50. If the request is submitted without complying with the procedure and requirements set out in Chapter X of the Rules, it shall not be considered, and the data subject shall be informed thereof immediately, but no later than within 14 working days, indicating the reasons.
51. If, during the examination of the application, it is determined that the rights of the data subject are restricted on the grounds provided for in Article 23(1) of Regulation (EU) 2016/679, the data subject shall be informed thereof.
52. Information at the request of the data subject regarding the exercise of his or her rights shall be provided in the state language.
53. All actions in accordance with the data subject's requests to implement the data subject's rights shall be carried out and information shall be provided free of charge.
54. The data subject has the right to complain about the actions or inaction of the data controller in implementing the data subject's rights, either by himself or by the data subject's representative, as well as by a non-profit institution, organisation or association authorised by him or her, which meets the requirements of Article 80 of Regulation (EU) 2016/679, to the State Data Protection Inspectorate, L. Sapiegos g. 17, Vilnius, e-mail ada@ada.lt, website https://vdai.lrv.lt, as well as to the Court of the Republic of Lithuania.
55. If a data subject suffers material or non-material damage due to a violation of his/her rights, the data subject has the right to compensation, for which he/she has the right to apply to a court of the Republic of Lithuania.
CHAPTER XII
FINAL PROVISIONS
56. Personal data shall be stored for no longer than is necessary for the purposes for which they were collected, or for such period as is provided for by law.
57. The data controller takes all possible security measures to protect personal data from unauthorized access, use or disclosure.
58. When collecting and using personal data, the Data Controller adheres to the following principles:
58.1. personal data are processed in a lawful, fair and transparent manner (principle of legality, fairness and transparency);
58.2. personal data are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes (purpose limitation principle);
58.3. personal data are adequate, relevant and only those necessary for the purposes for which they are processed (principle of data minimisation);
58.4. personal data are accurate and updated where necessary (principle of accuracy);
58.5. personal data are kept in a form that permits identification of the person for no longer than is necessary for the purposes for which the personal data are processed (principle of storage limitation);
58.6. personal data are processed in such a way that, by applying appropriate technical or organizational measures, appropriate security of personal data is ensured, including protection against unauthorized or unlawful processing of data and against accidental loss, destruction or damage (principle of integrity and confidentiality).
59. When collecting and using personal data, the Data Controller undertakes to:
59.1. process personal data only for clearly defined and legitimate purposes;
59.2. not to process personal data for purposes other than those specified in the Rules, except for cases specified in legal acts;
59.3. process personal data lawfully, accurately, transparently, fairly and in such a way as to ensure the accuracy, identity and security of the personal data being processed;
59.4. ensure that no excessive personal data is processed;
59.5. process personal data for no longer than is necessary for the purposes for which the personal data are processed;
59.6. be responsible for ensuring compliance with the principles set out in the Rules and be able to demonstrate compliance with them;
59.7. to perform other duties provided for in legal acts.
Last update: 2022-09-08