ŽALVARIS, PRIVATE LIMITED COMPANY
PRIVACY AND COOKIE POLICY
CHAPTER I
PRIVACY POLICY
The purpose of the Privacy Policy is to inform how the personal data of data subjects are collected and processed, how long they are stored, to whom they are provided, what rights data subjects have and how they can exercise these rights or any other issues related to the processing of personal data.
Personal data are processed under the General Data Protection Regulation (EU) 2016/679 (the ‘Regulation’), the Law of the Republic of Lithuania on Legal Protection of Personal Data, and other legal acts regulating personal data protection.
Žalvaris, Private Limited Company, is guided by the following basic principles of data processing:
- Personal data are collected only for clearly defined and legitimate purposes;
- Personal data are processed only lawfully and fairly;
- Personal data are kept up to date;
- Personal data are stored securely and for no longer than required by the stated purposes of processing or by law;
- Personal data are processed only by those employees of Žalvaris, Private Limited Company, who are authorised to do so by their job functions or by duly authorised data processors.
1. TERMS AND DEFINITIONS
1.1. The Data Controller is Žalvaris, Private Limited Company (the ‘Company’), enterprise reg. No 120504795, registration address Palemono g. 1, Kaunas, Lithuania.
1.2. A data subject means any natural person whose data are processed by the Company. The Data Controller collects only the data of the Data Subject, which are necessary for the performance of the activities of the Company and/or while visiting, using, and browsing on the Company’s websites, Facebook sites, etc. (the ‘Website’). The Company ensures that the personal data collected and processed are secure and used only for the specific purpose for which they are collected.
1.3. Personal data mean any information relating directly or indirectly to a data subject who can be identified, directly or indirectly, by reference to the relevant data. Processing personal data means any operation performed upon personal data (including collection, recording, retention, editing, alteration, access, retrieval, disclosure by transmission, archiving, etc.).
1.4. Consent means any freely given and informed indication by which the data subject signifies agreement to processing their personal data for a specified purpose.
2. PERSONAL DATA SOURCES
2.1. The data subject provides personal data. The data subject contacts the Company, uses or purchases the Company’s services, leaves comments, asks questions, requests information at the Company, etc.
2.2. The personal data is obtained when the data subject visits the Website. The data subject fills in the forms contained therein or leaves their contact details, etc., for whatever reason.
2.3. Personal data is obtained from other sources. The data is obtained from other bodies or companies, publicly available registers, etc.
3. PROCESSING OF PERSONAL DATA
3.1. By providing the Company with personal data, the data subject consents to use the collected data by the Company to fulfil its obligations to the data subject by providing the services that the data subject expects.
3.2. The Company processes personal data for the following purposes:
3.2.1. Ensuring the Company’s operational performance and continuity. The type of personal data processed:
- For the conclusion and the performance of contracts, the following personal data of suppliers (natural persons) may be processed: name(s), surname(s), personal identification number or date of birth, place of residence (address), telephone number, e-mail address, place of work, position, signature, data contained in the business certificate (type and class of activity, code, name, periods of activity, date of issue, amount), number of the self-employment certificate, information on whether the data subject is a VAT payer, bank account and bank details, price of the services/goods, currency and other data provided by the person themselves, which the Company receives under the legislation in the course of the Company’s business and/or which the Company is obliged to process by law and/or other legislation.
- For the conclusion and the performance of contracts, the following personal data of suppliers’ representatives may be processed: name(s), surname(s), telephone number, e-mail address, company name, address, position, authorisation data (number, date, date of birth of the authorised person, signature).
- Contracts, VAT invoices and other related documents are stored following the time limits set out in the General Index of Document Retention approved by the Order of the Chief Archivist of Lithuania.
o The legal basis for data processing is the necessity to perform a contract to which the data subject (a client) is a party or to take steps at the request of the data subject (a client) before entering into a contract (Article 6(1)(b) of the GDPR), where the processing of specific personal data is required for compliance with a legal obligation (Article 6(1)(c) of the GDPR).
3.2.2. Waste management services debt management of the Company. The type of personal data processed:
- For the provision of waste management services, the following personal data of suppliers (natural persons) may be processed: name(s), surname(s), personal identification number or date of birth, e-mail address, telephone number, place of residence (address), bank account and bank details, and other data related to the provision of services.
- For the Company’s debtors management and debt recovery, the following personal data of clients (debtors, natural persons) may be processed: name(s), surname(s), personal identification number or date of birth, place of residence (address), e-mail address, debt amount, information on the services rendered, and other data related to the debt.
- Contracts, VAT invoices and other related documents are stored following the time limits set out in the General Index of Document Storage approved by the Order of the Chief Archivist of Lithuania.
- Data relating to the Company’s debtors management are kept no longer than is necessary for the purposes for which the personal data are processed.
o The legal basis for data processing is the necessity to perform a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract (Article 6(1)(b) of the GDPR), where the processing of specific personal data is required for compliance with a legal obligation (Article 6(1)(c) of the GDPR). Data processing is necessary for the legitimate interests pursued by the Company to improve its performance and business success rates (Article 6(1)(f) of the GDPR).
3.2.3. Performance of traineeship contracts. The type of personal data processed:
- Name(s), surname(s), personal identification number or date of birth, signature, telephone number, e-mail address, educational institution, time of traineeship, and assigned activities.
- The personal data of trainees contained in the relevant documents (contracts, orders, applications, etc.), both as e-files or hard copies or in any other form of files, are stored following the time limits set out in the General Index of Document Retention approved by Order of the Chief Archivist of Lithuania.
o The legal basis for data processing is the necessity to perform a contract to which the data subject (a trainee) is party or to take steps at the request of the data subject (a trainee) before entering into a contract (Article 6(1)(b) of the GDPR), and where the processing of specific personal data is required for compliance with a legal obligation (Article 6(1)(c) of the GDPR).
3.2.4. Management of enquiries, comments and complaints. The type of personal data processed:
- Name(s), surname(s) and/or user names, e-mail address, telephone number, address, subject and wording of the enquiry, comment or complaint.
- The data of enquiries, comments and complaints are kept for one year after they are made.
o The legal basis for processing is that processing is necessary for the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR), and the data subject’s consent (Article 6(1)(a) of the GDPR).
3.2.5. Ensuring the security of the Company’s employees, other data subjects and property (video surveillance). The type of personal data processed:
- Image. Video surveillance systems do not use facial recognition and/or analysis technologies and do not group or profile the captured video data by a specific data subject (person). The data subject is informed about the video surveillance using information signs with the symbol of the video camera and the Company’s contact details, which are displayed before entering the monitored area and/or premises. The surveillance field of CCTV cameras excludes premises where the data subject expects absolute protection of personal data.
- Personal data (video data) captured by CCTV cameras are stored for up to 14 (fourteen) days from recording. They are automatically destroyed after that unless there are grounds to believe that an offence, a criminal offence or other unlawful acts have been committed, in which case the data are stored until the end of the relevant investigation and/or proceedings.
o The legal basis for processing is that processing is necessary for the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR).
3.2.6. For management of whistleblowers and reported infringements at the Company, the following data are processed:
- Personal data of the whistleblowers: name(s), surname(s), personal identification number, place of work (former or current service, employment or contractual relationship with the Company), job title, telephone number, personal e-mail or mailing address.
- Details of the infringement: the infringement, the place and time of the infringement, and other information collected about the infringement.
- Person(s) who may have infringed: name(s), surname(s), place of work, job title.
- Witness(es) to the infringement: name(s), surname(s), job title, workplace, telephone number, e-mail address.
- Documents and data are stored following the time limits set out in the General Index of Document Retention approved by the Order of the Chief Archivist of Lithuania.
o The legal basis for processing is that the processing of specific personal data is required for compliance with a legal obligation (Article 6(1)(c) of the GDPR).
3.2.7. Other purposes for which the Company is entitled are to process the data subject’s personal data, where the data subject has given their consent, where the processing is necessary for the Company’s legitimate interest or where the processing is required for the Company’s compliance with a legal obligation.
4. USE OF SOCIAL NETWORKS
4.1. Any information you provide via social media (including posts, the use of ‘Like’ and ‘Follow’ buttons, and other communications) is controlled by the operator of the relevant social network.
4.2. The Company has a Facebook account, and the relevant service provider’s privacy policy is available at https://www.facebook.com/privacy/explanation.
4.3. The Company has a LinkedIn account, and the relevant service provider’s privacy policy is available at https://www.linkedin.com/legal/privacy-policy.
4.4. The Company has a YouTube account, and the relevant service provider’s privacy policy is available at https://policies.google.com/privacy?hl=en-US.
4.5. Should you have any questions about how your personal data are used on these social networks, we recommend that you read the privacy notices of third parties and contact the service providers directly.
5. DISCLOSURE OF PERSONAL DATA
5.1. The Company undertakes to respect the duty of confidentiality towards data subjects. Personal data may be disclosed to third parties only if necessary for the conclusion and performance of a contract to benefit the data subject or for other legitimate reasons.
5.2. The Company may provide personal data to their data processors who provide data processing services to the Company and process personal data on the Company’s behalf. Data processors are entitled to process personal data only following the Company’s instructions and to the extent necessary to properly perform their obligations under the contract. The Company only uses data processors that provide sufficient guarantees that appropriate technical and organisational measures will be implemented so that the processing complies with the requirements of the Regulation and that the data subject’s rights are protected.
5.3. The Company may also disclose personal data in response to requests from the courts or public authorities to the extent necessary for the proper execution of applicable law and the instructions of public authorities.
5.4. The Company guarantees that personal data will not be sold or leased to third parties.
6. PROCESSING OF PERSONAL DATA OF MINORS
6.1. Persons under the age of 14 may not provide any personal data through the Company’s Website. If a person is under 14 years of age to benefit from the Company’s services, the written consent of a representative (parent, guardian) for processing personal data is required before personal information can be provided.
7. PERSONAL DATA RETENTION PERIOD
7.1. Personal data collected by the Company are stored in printed documents and/or on the Company’s information systems. Personal data are processed not longer than is necessary to achieve the purposes of the processing or not longer than is required by the data subjects and/or provided for by law.
7.2. Although the data subject may terminate the contract and cancel the Company’s services, the Company must keep the data subject’s data for possible future claims or legal claims until the data retention periods have expired.
8. DATA SUBJECT’S RIGHTS
8.1. The right of access to information about data processing.
8.2. The right of access to processed data.
8.3. The right of rectification.
8.4. The right to be forgotten. This right does not apply if the personal data for which erasure is requested is also processed on another legal basis, such as processing necessary for the performance of a contract or the performance of an obligation under applicable law.
8.5. The right to restrict data processing.
8.6. The right to object to data processing.
8.7. The right to data portability. The right to data portability must not adversely affect the rights and freedoms of others. The data subject does not have the right to data portability concerning personal data processed in non-automatically structured files, such as paper files.
8.8. The right not to be subject to a decision based solely on automated processing, including profiling.
8.9. The right to complain about the processing of personal data with the State Data Protection Inspectorate.
9. The Company must facilitate the exercising of the data mentioned above subject’s rights, except for the cases provided for by law, where it is necessary to ensure national security or defence, public order, the prevention, investigation, detection or prosecution of criminal offences, the protection of the State’s vital economic or financial interests, the prevention, investigation and detection of breaches of official or professional ethics, or the security of the data subject’s or other persons’ rights and freedoms.
10. PROCEDURES FOR EXERCISING THE DATA SUBJECT’S RIGHTS
10.1. To exercise their rights, the data subject may contact the Company:
10.1.1. by a written request in person, by post, through a representative or by electronic means (e-mail: info@zalvaris.lt);
10.1.2. verbally (by phone: 8 800 00 653);
10.1.3. in writing (to mailing address: Palemono g. 1, Kaunas.
10.2. The data subject can also contact the Company’s Data Protection Officer by e-mail: asmensduomenys@sdg.lt.
10.3. To protect the data against unauthorised disclosure, the Company must verify the data subject’s identity upon receipt of a data subject’s request for data or the exercise of other rights.
10.4. The Company’s reply is provided to the data subject at the latest within one month of receiving the subject’s request, taking into account the specific circumstances of the processing of the personal data. Depending on the complexity and number of requests, this period may be extended by two months if necessary.
11. DATA SUBJECT’S LIABILITY
11.1. The data subject must:
11.1.1. Notify the Company of any changes to the information and data provided. The Company needs to have correct and relevant data subject information;
11.1.2. Provide the necessary information to ensure that, at the request of the data subject, the Company can identify the data subject and verify that they are communicating or cooperating with a specific data subject (either by providing proof of identity or using a procedure established by law or using electronic communications which allow the data subject to be correctly identified). This is necessary to protect the data subject’s personal data and the data of other persons so that the information disclosed about the data subject is only provided to the data subject without prejudice to the rights of other persons.
12. FINAL PROVISIONS
12.1. By providing personal data to the Company, the data subject accepts this Privacy Policy, understands its provisions and agrees to comply.
12.2. In developing and improving the Company’s operations, the Company has the right to change this Privacy Policy at any time unilaterally. The Company is entitled to unilaterally, wholly or partially reverse the Privacy Policy by notifying the relevant changes on the website www.zalvaris.lt.
12.3. Amendments or changes to the Privacy Policy come into force from the date of their publication, i.e. from the date on which they are posted on the website www.zalvaris.lt.
CHAPTER II
COOKIE POLICY
Žalvaris, Private Limited Company (the ‘Company’) handles your data security. We are committed to protecting and processing your data responsibly. This document provides information about how we process your personal data using cookies.
Personal data are processed following the General Data Protection Regulation (EU) 2016/679 (the ‘Regulation’), the Law of the Republic of Lithuania on Legal Protection of Personal Data, and other legal acts regulating personal data protection.
1. USE OF COOKIES
1.1. The Company’s Website uses cookies – small pieces of text information that are automatically created when browsing a website and stored on your personal computer or other device you use. Cookies are used to improve the browsing experience for visitors to the Website to analyse the traffic and behaviour of visitors.
1.2. The Company uses cookies to improve and enhance the website visitor experience.
1.3. The following types of cookies may be used on the Company’s Website:
1.3.1. Technical cookies help to display the Website and its content to the visitor and to ensure the functionality of the Website. Technical cookies are essential for the proper functionality of the Website.
1.3.2. Functional cookies help the visitor use the Company’s Website to store the choices and preferences made during the browsing session. Functional cookies are not essential for the full functioning of the Website, but they add functionality and improve your experience while visiting the Company’s Website.
1.3.3. Analytical cookies are used to obtain information about how visitors use the Company’s Website. This information is needed to optimise and improve the Company’s Website. Analytical cookies allow us to collect data about the web pages you have viewed, the pages that have led you to our Website, the e-mails you have opened and responded to, and the date and time information. This also means that we may use information about you and your use of this Website, such as the frequency of your visit, the number of clicks on a particular page, the search terms used, etc.
1.3.4. Commercial cookies (targeting or advertising cookies) are used to deliver personalised advertising to the visitor of the Company’s Website. This is called ‘remarketing’, based on browsing actions, such as the products and/or services you have searched for, viewed and/or used.
1.4. Access to statistical data about visitors to the Company’s Website is available to the Company’s staff, who are responsible for analysing this data and improving the Website.
1.5. Technical records may also be accessed by the Company’s partners, who provide content management tools for the Company’s Website.
1.6. Google Inc., USA, provide the Google Analytics tool, so it also has access to the statistical data collected by Google Analytics. This provider is subject to contractual and statutory privacy obligations.
1.7. The personal data collected by cookies are stored at the Company no longer than is necessary to achieve the purposes of the processing or not longer than is required by the data subjects and/or provided for by law.
1.8. More details on cookies are available at AllAboutCookies.org.
1.9. If you disagree with our use of cookies, you can change your browser settings and control the number of cookies. Useful links on how to refuse cookies can be found below:
- Chrome: https://support.google.com/chrome/answer/95647?hl=lt&co=GENIE.Platform%3DDesktop;
- Firefox: https://support.mozilla.org/lt/kb/Slapuk%C5%B3%20%C5%A1alinimas;
- Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac;
- Edge: https://support.microsoft.com/lt-lt/microsoft-edge/slapuk%C5%B3-naikinimas-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09.
2. DESCRIPTION OF COOKIES USED ON THE WEBSITE
Cookie name |
Description of the purpose of the cookie |
Supplier |
Validity |
zalvaris_session |
Used as a session identifier for the active user. |
No data. |
Until the website window is closed |
cookies_agree |
Used to confirm acceptance of cookies. |
No data. |
One year from approval |
_ga |
Used to collect statistical information about website traffic. |
No data. |
Two years after visiting the Website |
_gat |
Used to limit the number of referrals to doubleckick.net. |
No data. |
From accessing the Website till the website window is closed |
_gid |
Used to collect statistical information. |
No data. |
One day after visiting the Website |