By this privacy policy (hereinafter – the Privacy Policy) private limited liability company UAB "SPA Birštono sveikatinimo paslaugos”, entity’s code 304830530, office address at Karalienės Barboros ave. 2, Birštonas (hereinafter – the Data Controller) establishes the conditions for processing of personal data when using the website www.vytautasmineralspa.lt and www.spavytautas.lt (hereinafter – the Website) managed by the Data Controller, and visiting the mineral spa facility Vytautas Mineral SPA. The conditions established by the Privacy Policy shall apply each time you visit the mineral spa facility Vytautas Mineral SPA or the Website, regardless of what kind of device (computer, mobile phone, tablet, TV or other) you are using.

 It is very important that you read the Privacy Policy carefully, for each time you visit the Website owned by the Data Controller, the mineral spa facility Vytautas Mineral SPA, you consent to the conditions described in this Privacy Policy. If you do not consent to these conditions, please do not visit our website, do not use our content and/or services.

 By providing his personal data (including data which he directly or indirectly provides when visiting the website and using its services) the data subject consents and agrees that the Data Controller controls and processes thereof for the purposes and in accordance with the procedure indicated in this Privacy Policy, the Data Subject’s consent and provided for in the legal acts.

 Participant means a person participating or intending to participate in games, campaigns and/or contests organised by the Data Controller.

 Data Subject in this Privacy Policy shall be considered to be the Applicant, the Client, the Candidate, the Phone Caller or any other natural person whose personal data is processed by the Data Controller.

 Applicant means a natural person interested in the services provided by the Data Controller or willing to contact the Data Controller on other matters.

 Client means a person who acquired goods, services from the Data Controller or concluded a contract with the Data Controller regarding purchase of goods and/or provision of services.

 Candidate means a person participating or intending to participate in personnel selection carried out by the Data Controller.

 Phone Caller means a person calling at the contact phone indicated on the Website regarding provision of services by the Data Controller and/or other matters.

 The Data Controller will collect personal data in compliance with the requirements of legal acts of the European Union and the Republic of Lithuania being in force and the instructions of controlling authorities. All reasonable technical and administrative measures are applied so that the collected data on the Data Subjects is protected against loss, unauthorised use or alterations.

 Persons who are younger than 16 years may not provide any personal data through the Data Controller’s Website. If you are a person who is younger than 16 years, before providing personal information you must obtain consent of your parents or other legal guardians.

This Privacy Policy is composed in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – the General Data Protection Regulation), the Republic of Lithuania Law on Legal Protection of Personal Data, other legal acts of the European Union and the Republic of Lithuania. Definitions used in the Privacy Policy are to be understood the way they are defined in the General Data Protection Regulation and the Republic of Lithuania Law on Legal Protection of Personal Data.

 WHAT INFORMATION ABOUT YOU WE COLLECT?

 Information directly provided by you.

 Information on how you use our Website.

If you visit our Website we also collect information which reveals the specifics of the use of services we provide or the automatically generated visit statistics. For more information, see „Cookies“.

 Information from third party sources

We may receive information about you from public and commercial sources (to the extent allowed by the legal acts in force) and associate it with other information which we receive from you or about you. We may receive information about you also from third party social network services when you log in to them, for example, though accounts in the “Facebook” network.

 Other information we collect

With your consent we may also collect other information about you, your device or your use of our website content.

 You may choose to not provide us certain information, however in such case the use of service we offer might be unavailable.

PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF CONSULATION, SUBMISSION OF ENQUIRY

Processing of personal data of the Applicants, including the Phone Callers, contacting the Data Controller for the purpose of consultation, submission of enquiry and/or other matters. The Data Controller shall process the following personal data of the applicants, including the Phone Callers:

•  Name;
• Surname;
• Telephone number;
• E-mail address.

 In the event the Data Controller is contacted by a representative of the applicant, the Data Controller shall process the following data of the representative of the applicant:

•  Name;
• Surname;
• Relation to the Data Subject who is contacting;
• Telephone number;
• E-mail address.

 Data of the applicants is not transferred to third persons.

PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF ACCOMMODATION AND PROVISION OF SPA SERVICES

Processing of data of the Clients. The Data Controller shall process the following data of the Clients:

• Name;
• Surname;
• Date of birth;
• Personal number;
• Data of the personal identity documents;
• Address of the place of residence;
• Car number;
• Employer’s data;
• Information on participation in loyalty program
• Telephone number;
• E-mail address;
• Health data – if required for proper selection of services;
• Other information related to the good and/or service being purchased.

In the event the Client is being represented by another person, the Data Controller shall process the following personal data of the Client‘s representative:

•  Name;
• Surname;
• Relation to the Data Subject who is contacting;
• Telephone number;
• E-mail address.

The Data Controller undertakes to not transfer your personal data to any unrelated third parties, except for the following cases:

-          if your consent to disclosure of personal data is given;

-          in provision of services – to our partners, in order to perform the services you ordered. We will provide your personal information to these service providers only in as much as is necessary for performance of the relevant service;

-          in fulfilling legitimate interests of the Data Controller (e. g. in the case of debt recovery);

-          to authorised institutions in accordance with the procedure provided for by the legal acts of the Republic of Lithuania.

The Data Controller may provide personal data of the Clients and other Data Subjects to Data processors not indicated in this Privacy Policy which provide services (perform works) to the Data Controller and process personal data of the Clients and the Data Subjects on behalf of the Data Controller. The Data processors shall have the right to process personal data only in accordance with the instructions of the Data Controller and only to the extent necessary for proper performance of obligations established in the contract. When engaging the data processors the Data Controller shall take all necessary precautions to ensure that the data processors have implemented appropriate organisational and technical measures ensuring security and maintain the personal data secrecy.

The basis for the processing of personal data for the purposes of providing accommodation services is: the data subject’s consent and/or the performance of a contract with the Data Subject and/or compliance with the Data Controller’s legal obligations and/or protection of the Data Controller’s legitimate interests (Art. 6 (1) (a), (b), (c) and (f) of the General Data Protection Regulation).

PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF PERSONNEL SELECTION OF CANDIDATES TO JOB POSITIONS

 The Data Controller shall process the personal data voluntarily provided by the Candidate for the purposes of personnel selection to the extent the personal data was provided.

 Data is received directly from candidates and/or form third persons providing job posting websites. This data is not transferred to third persons.

 Data of the Candidates shall be processed on the basis of consent given when providing their data and in order to take steps upon the Candidate’s conduct and/or request prior to entering into a contract (Art. 6 (1) (a) and (b) of the General Data Protection Regulation).

PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF ORGANISING GAMES, CAMPAIGNS, CONTESTS

The Data Controller may process personal data for the purposes of carrying out contests or campaigns only with the Data Subjects’ consent. The Data Controller may collect the following personal data of the Participants:

• Name;
• Surname;
• Photos;
• Telephone;
• E-mail.

The data is received directly from the Data Subjects participating in games, campaigns and/or contests. This data is not transferred to third persons, but may be publicly announced on the Data Subject’s Website and/or the social network “Facebook” accounts which belong to the Data Controller. The Data Controller may post: name, surname, photo.

Personal data shall be processed on the basis of consent given when providing own personal data (Art. 6 (1) (a) of the General Data Protection Regulation).

PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF DIRECT MARKETING

The Data Controller seeks to share with the recipients of newsletters only the relevant news about services, discounts, offers, contests and other useful information. This is implemented in accordance with this Privacy Policy.

The Data Controller shall process personal data for the purpose of direct marketing only with the expressly given Data Subjects’ consent. For the purpose of direct marketing the following personal data of the Clients and other Data Subjects shall be processed:

• Name;
• Surname;
• Information on participation in loyalty program;
• Telephone number;
• E-mail address.

After sending the newsletter the Data Controller may collect statistical data on the Data Subject’s behaviour in connection with the use and content of the newsletter (for example, whether the newsletter was read, which links were opened by the Data Subject).

The Data Subject’s e-mail address may be used to deliver advertising through Facebook, Google and other advertising platforms by customising the advertising to target audience.

Pursuant to the personal data you provided for the purpose of direct marketing your personal data may be profiled in order to offer you individually customised solutions and offers. You may at any time withdraw your consent to the processing of personal data by automated, including profiling, processing method or to object thereto (if such method is applied).

Personal data is received directly from the Data Subjects. The Data Controller may transfer personal data only to third persons which provide specialised services in order to send e-mail letters, customise the format of advertising ordered through the advertising platforms.

Personal data of the Clients and other Data Subjects shall be processed on the basis of consent given when providing own data and consenting to the processing of personal data for the purpose of direct marketing (Art. 6 (1) (a) of the General Data Protection Regulation).

We hereby inform you that the Data Subject has the right to object to or at any time withdraw his consent to processing of his personal data for the purposes of direct marketing, including profiling, to the extent it is related to such direct marketing, without giving reasons for objection:

-          By clicking the link “unsubscribe from the newsletter” at the end of the newsletter or on the website

-          By writing via e-mail at info@spavytautas.lt or calling by phone at (8-319) 42139.

Withdrawal of consent shall not affect the lawfulness of processing of data based on consent carried out before the withdrawal of consent.

PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF ENSURING SAFETY OF PERSONNEL, CLIENTS AND PROTECTION OF PROPERTY (VIDEO SURVEILLANCE)

For the purposes of ensuring security of personnel, clients and other persons who got into the area under the video surveillance, also of the property (of video surveillance) the Data Controller shall process video data of its personnel and clients, also other persons who got into the area under the video surveillance in order to ensure safety thereof and of the property.

We hereby inform you that your video data is recorded by the Data Controller’s video surveillance equipment when you visit the Data Controller’s premises and territory. Video data may only be transferred to law enforcement institutions in accordance with the procedure provided for by the legal acts of the Republic of Lithuania.

Personal data shall be processed for the purpose of video surveillance on the basis of the legitimate interest of the Data Controller (Art. 6 (1) (f) of the General Data Protection Regulation).

WHAT DO WE DO TO PROTECT YOUR INFORMATION?

Personal data is protected against loss, unauthorised use and alterations. We have installed physical and technical measures to protect all information which we collect for the purposes of proving our services. We hereby remind you that even though we take appropriate actions for the protection of your information, no website, operation carried out via internet, computer system or wireless connection is completely safe.

The Data Controller shall apply different time limits for storage of personal data in accordance with the requirements of legal acts and taking into account the purposes of processing of personal data.

The time limits for storage of personal data:

Exceptions regarding the time limits for storage may be established to the extent they do not infringe the rights of the Data Subjects, are in line with the legal requirements and are properly documented.

Upon expiry of the established time limits, if they were not extended, the data will be deleted in the way that makes them irrecoverable.

YOUR RIGHTS

The Data Subject, whose data is processed in the activities of the Data Controller, shall have the following rights:

-          To be aware (to be informed) of the processing of his data (the right to know);

-          To access his data and learn how it is processed (the right of access);

-          To request rectification or, taking into account the purposes of the processing of personal data, completion of the person’s incomplete personal data (the right to rectification);

-          To obtain erasure of his data or to suspend the processing activities of his data (except for storage) (the right to erasure and the right “to be forgotten”);

-          Shall have the right to obtain from the personal Data Controller restriction of processing of personal data where one of the legitimate reasons is present (the right to restriction):

-          Shall have the right to data portability (the right to portability);

-          To object to the processing of personal data, when this data is processed or is intended to be processed for the purposes of direct marketing, including profiling, to the extent it is related to such direct marketing;

-          To lodge a complaint with the State Data Protection Inspectorate of the Republic of Lithuania.

If you no longer wish your personal data be processed for the purpose of direct marketing, you may write an e-mail letter at the address info@spavytautas.lt or call by phone at (8-319) 42139 and object to the processing of your personal data for the purpose of direct marketing without giving reasons for objection.

The Data Subject shall have the right to submit any request or instruction related to the processing of personal data to the Data Controller in writing in one of the following ways: by delivering directly at the address Karalienės Barboros ave. 2, Birštonas; by mail at: Karalienės Barboros ave. 2, Birštonas; by e-mail at: info@spavytautas.lt.

Having received such request or instruction not later than within one month from the day of contacting the Data Controller shall submit a reply and perform the actions indicated in the request or refuse to perform thereof. If necessary, the said period may be extended by further two months taking into account the complexity and number of requests. In such event, the Data Controller shall inform the Data Subject of such extension within one month from the day of receipt of the request, together with the reasons for the delay.

The Data Controller is allowed to not enable the data subjects to exercise the aforementioned rights, except for the objection to the processing of personal data in the way of direct marketing, when in the cases provided for by laws it is necessary to ensure the prevention, investigation and detection of crimes, breaches of occupational or professional ethics, as well as the protection of rights and freedoms of the Data Subject, Data Controller or other persons.

THIRD PARTY WEBSITES, SERVICES AND PRODUCTS ON OUR WEBSITES

On the Data Controller’s website there may be third party advertising panels, links to their websites and services which are outside of the control of the Data Controller, for example, a link to the Data Controller’s Facebook profile. The Data Controller is not responsible for the security and privacy of information collected by third parties. You have to read the privacy statements applicable to third party websites and services which you use.

If you provided data about yourself with the help of “Facebook”, we understand that you agree for us to contact you by the provided contact phone and e-mail and to submit offers of services.

COOKIES

While you are visiting the Data Controller’s website we want to provide such content and functions which are customised exactly to your needs. That requires cookies. Those are small elements of information, which are automatically created while browsing a website and are saved on your computer or other terminal device. They help the Data Controller to recognise you as a former visitor of a certain website, to save the history of your website visit and to customise content pursuant thereto. Cookies also help to ensure smooth operation of websites, allow monitoring the duration, incidence of website visits and collection of statistical information on the number of website visitors.

Descriptions of cookies used on our website

How to manage and delete cookies

When you use browser to access the content we provide, you may configure your browser to accept all cookies, to reject all cookies or to be notified when the cookie is sent. Each browser is different, therefore if you do not know how to change the cookie settings, see its help menu. The operating system of your device may have additional cookie controllers. If you do not want information to be collected with the help of cookies, use a simple procedure in many browsers, which allows you to disable the use of cookies. For more information on how to manage cookies, please visit the link: http://www.allaboutcookies.org/manage-cookies/.

We note, however, that in some cases deletion of cookies may slow down the speed of internet browsing, limit the operation of certain website features or block access to the website.

 Our website may contain links to web pages of other persons, companies or organisations. We note that the Data Controller is not responsible for the content of such web pages or the principles for ensuring privacy they use. Therefore if you access other web pages from the Data Controller’s website after clicking a link, you should individually refer to their Privacy Policy.

FINAL PROVISIONS

 Supplementations or amendments to the Privacy Policy shall enter into force from the day of posting them on the Website.

 When the Data Subject uses the Website and/or the services provided by the Data Controller after supplementation or amendment to the Privacy Policy, it shall be deemed that the Data Subject does not object to such supplementations and/or amendments.

CONTACT US

 Should you have any questions regarding the information provided in this Privacy Policy, please feel free to contact us in any way convenient to you:

By phone: (8-319) 42139

By e-mail: info@spavytautas.lt

By mail: Karalienės Barboros al. 2, Birštonas

Updated on 20/05/2018