UAB “BALTIC AMADEUS” (hereinafter referred to as the Company or we), when processing personal data, complies with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the Regulation), the Law on Legal Protection of Personal Data of Republic of Lithuania and requirements of the other applicable legal acts and ensures the security of your personal data.
You – are the visitors of our websites www.ba.lt, www.enjoyit.lt and www.fincell.eu/ (hereinafter referred to as the Websites), service users, employees and personnel selection participants, customers, partners and other data subjects whose personal data we have the right to process and undertake to properly protect.
1. Processed personal data
We may collect and process the following categories of personal data:
- Personal identification data – name, surname, position, name of the workplace, etc.;
- Contact personal data – e-mail address, telephone number, workplace or residence address, etc.;
- Personal data confirming personal identity – personal identification number, personal identity document No., etc.;
- Personal data related to employment – information you provide in your CV, cover letter or other documents provided to us, information about your education, professional qualifications, work experience, etc.;
- Information about browsing our Websites – technical data of the device used, IP address, operating system, type of browser, etc.;
- Personal data that may be provided to us by other data controllers or processors using our services;
- Any other personal data relating to you that you may provide us by contacting us, using or wishing to use our services, visiting our office, etc.
2. Legal basis and objectives for the processing of personal data
We process personal data on the following grounds and for the following purposes:
- Based on your consent – to respond to your inquiries, provide you with information, advertise our services, enable you to use our Websites, analyse your browsing behaviour on our Websites using cookies, perform personnel selections, arrange events, competitions, service presentations, provide direct marketing offers, etc.;
- Based on concluding and executing a contract with you – to prepare a commercial offer, enter into a contract and provide services, communicate with you or your representatives, properly fulfil the obligations to you;
- Based on a legal obligation imposed on us – to meet the mandatory requirements imposed on us by legislation or decisions of the competent authorities or supervisory authorities, etc.;
- Based on our legitimate interest – to ensure the security of our employees and assets, to protect or defend our rights against violations (e.g. to defend our rights in court/arbitration, to manage arrears, etc.), to exercise the right to insurance coverage, to improve the quality of services provided, to ensure the performance of our contractual obligations, to offer similar services to existing customers, etc.
Your personal data are processed only for the purposes for which they were collected. In case of the purpose changes – we will inform you about it and ensure that personal data is always processed on an appropriate legal basis.
3. Transfer of personal data to other recipients
We may transfer (disclose, grant access) personal data to third parties (other data controllers, processors or recipients) in the following cases and procedures:
- If we are required to provide personal data to the competent authorities based on an existing legal obligation (Sodra, VMI, Department of Statistics, etc.) or individual legal order (e.g., law enforcement authorities);
- If we use ancillary data processors (e.g., IT service providers, server and other infrastructure service providers and intermediaries, consultants, insurance companies, communication service providers, recruitment agencies, etc.) for the processing of personal data, with whom contracts are concluded defining the scope of data processing, implementation of appropriate organisational and technical measures and other obligations necessary to ensure secure personal data processing and confidentiality;
- If we must protect or defend our legitimate interests (e.g., to transmit data about the incident to law enforcement authorities, insurance companies, etc.);
- If your consent has been obtained for the disclosure of personal data (e.g., the employee’s consent to use his/her image (photo) in public communication).
In all cases where personal data are transferred to third parties, we ensure that the data shall only be disclosed to trusted recipients and to the minimum extent necessary to achieve the purpose of the processing.
4. Transfer of personal data to recipients outside the EEA
We may also transfer (provide access to) your personal data to our or our partners’ employees, auxiliary data processors or other data controllers (e.g., IT service providers, servers and other infrastructure service providers and intermediaries, etc.) outside the European Economic Area (EEA). When transferring personal data outside the EEA, we undertake to ensure that the data are transferred only to countries that ensure adequate legal protection of personal data and following the requirements of the Regulation, such as the application of standard contract clauses, etc.
5. Personal data retention period
We set retention periods for personal data according to the specific purposes of the processing and process the data only for as long as necessary to achieve the respective purposes. For example:
- We store the personal data of the customers/their representatives provided to us for the purpose of performance of the service provision/cooperation agreement for 10 (ten) years from the date of termination of the agreement;
- We store personal data managed/processed by the customers and provided to us in accordance with the concluded personal data processing agreements until the expiry of the service provision/cooperation agreement unless a different storage term is stipulated in the contract concluded with a specific customer or specified in a separate instruction by the customer;
- We process the contact personal data of the customers/their representatives for the purposes of direct marketing as long as the service provision/cooperation agreement is in force or the customer/its representative’s objection to further data processing is received;
- We store the data of persons who have agreed to receive direct marketing offers no longer than 3 (three) years after the date of receipt of the consent;
- We store the personal data of candidates for work in the Company for a period specified in the Job candidates’ personal data processing procedure.
The terms of storage of personal data of our employees, suppliers of goods and services/their representatives processed for internal administration (personnel management, management and use of available material and financial resources, accounting and record keeping) are set in the Company’s internal documents.
We ensure that at the end of the retention period of personal data, all data shall be securely destroyed or depersonalised. Therefore, the information cannot be recovered.
6. Personal data safeguarding
We grant access to your personal data only to those employees or partners whose processing of personal data is necessary for the performance of their direct duties and who are properly familiarised with the requirements applicable to the processing of personal data.
We apply appropriate technical and organisational measures to ensure the secure processing of your personal data, data confidentiality, integrity and access control. We have approved and implemented personal data and information security procedures, determining the application of preventive measures, distribution of responsibilities, control measures and procedures for responding to security breaches. All procedures regulating the Company’s activities are periodically reviewed, execution of the procedures supervised, and employee training arranged.
The Company’s knowledge and professional qualifications of our specialists are certified by Human Factors Certified Usability Analyst (CUA), Certified Ethical Hacker (CEH), Information Systems Security Professional (CISSP), Certified Data Privacy Solutions Engineer (CDPSE), Certified Information Security Auditor (CISA) and ISO/IEC 27001 Information Security Management System certifications.
7. Automated decision making and profiling
The Company shall not process personal data through automated individual decision-making. Yet, it may conduct profiling (i.e. automated processing of personal data where personal data are used to assess certain personal aspects of an individual) that does not have legal consequences or similarly significant effects for you.
Profiling shall be based on the Company’s legitimate interests, the performance of the contract and/or your consent. If you have agreed to receive direct marketing messages, the Company shall have the right to process personal data for the purpose of sending direct marketing messages of a general nature and/or individually tailored to you.
8. Your rights
As a data subject, you shall have the following rights under the Regulation to:
- Get acquainted with your personal data processed by us (right of access);
- Require us to correct your personal information if it turns out to be inaccurate;
- Require us to delete your personal data (right to be forgotten);
- Demand that we limit the processing of personal data;
- Require us to provide your personal data in a structured, commonly used and computer-readable format for transfer to another data controller (right to data portability);
- Do not consent to the processing of your personal data, including processing for marketing purposes;
- Disagree with automated decision-making, including profiling.
To exercise these rights, we hereby ask you to:
- Provide us with the information we need to identify you (for personal identification);
- Formulate your application and provide related information.
We undertake to respond to your request no later than 1 (one) month from its receipt. If you believe that our processing of personal data does not comply with the requirements established by the Regulation or other legal acts, you have the right to apply to the State Data Protection Inspectorate using the contacts provided on its website: https://vdai.lrv.lt/
When you visit our Websites, we may collect certain information about your device, IP address, operating system, browser type, and more. We need this information to administer the system, provide assistance, collect aggregated data for analysis and quality improvement.
Types of cookies used on Websites:
- Strictly necessary – these types of cookies are necessary for the operation of the Website. These cookies cannot be disabled because the Website will not function properly without them.
- Functional – used to prevent changes to settings, such as language or time zone selection, each time you visit our Website.
- Analytical – these cookies are used to collect general statistics on the number of visitors to monitor the performance of the Websites for analytical purposes and to improve their performance.
- Marketing – used to better tailor the content of the Websites to provide customised ads that may be of interest to an individual user.
If you do not agree to the storage of cookies on your device, you can revoke the consent at any time by using them by changing the settings and deleting the stored cookies. If you have chosen to delete cookies, remember that all the settings you have set are also deleted. In addition, if cookies are completely blocked, the Websites may no longer function properly. For these reasons, we do not recommend disabling cookies.
10. Third party websites
12. Our details
You can find our details and contact data at: https://www.ba.lt/lt/kontaktai/
If you have any questions concerning the processing of personal data, please contact us by e-mail at firstname.lastname@example.org