Translation from Lithuanian
VILNIAUS NARUTIS, UAB
1. GENERAL PROVISIONS
1.2. Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3. Data subject means guests and other natural persons whose data are processed by the Controller.
1.4. Data provision means Personal data disclosure by transmission or otherwise making available (with the exception of publication in the media).
1.5. Processing means any operation which is performed on personal data: collection, recording, collection, storage, alteration, disclosure, use, destruction or any other action.
1.6. Processor means any subjects processing Personal data controlled by the Controller according to the instructions of the Controller in accordance with agreements on service provision.
1.7. Controller means VILNIAUS NARUTIS, UAB, legal entity code 122261185, legal address: Pilies g. 24, Vilnius, e-mail address: email@example.com, telephone: +370 521 22894, website: www.narutis.com, which by processing personal data of guests and other natural persons determines methods and measures of use of such data.
1.8. Website means the website of the Controller at the address www.narutis.com.
1.9. Supervisory authority means State Data Protection Inspectorate.
1.11. Direct marketing means activities aimed at offering goods or services to persons by post, telephone or other direct means and/or at asking their opinion on the goods or services offered.
1.12. Hotel means hotel “Narutis”, located at Pilies g. 24, Vilnius, and hotel “Apia”, located at Šv. Ignoto g. 12, Vilnius, controlled by VILNIAUS NARUTIS, UAB.
1.13. Other terms used in the Policy shall be understood according to definitions established in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Law on Legal Protection of Personal Data of the Republic of Lithuania and other legislation regulating personal data protection. Policy is available on website www.narutis.com.
2. PERSONAL DATA PROCESSING PURPOSES AND PROCESSED PERSONAL DATA
2.1. The Controller shall process Personal data for the following purposes:
2.1.1. for the purposes of Hotel guests accounting, guest debt management, protection of guests’ property;
2.1.2. for the purpose of personal and property protection, prevention of violations of law, infringer identification, detection of violations of law (video surveillance);
2.1.3. for the purpose of direct marketing;
2.1.4. for the purposes of statistics and marketing (when using Website).
Personal data processing for the purposes of Hotel guests accounting, guest debt management, protection of guests’ property
2.2. When booking a room at the Hotel, Data subject shall give consent for the Controller to process the following Personal data:
2.2.1. name, surname;
2.2.2. date of birth;
2.2.4. number of personal identity document;
2.2.5. address of place of residence;
2.2.6. telephone number;
2.2.7. e-mail address;
2.2.8. payment type, payment card data: number and validity date (in case of card payment);
2.2.9. amount due;
2.2.10. arrival and departure dates;
2.2.11. car licence plate;
2.2.12. accommodation location.
2.3. Data specified in Item 2.2 of the Policy are required for the Controller, when providing services, to be able to identify Hotel guests, execute payments for services and goods provided by the Hotel, ensure the security of the property of the Data subject, if necessary, contact Data subjects.
2.4. Data obtained for the purpose of Hotel guests accounting shall be stored for 5 (five) years from the date of booking. Data necessary for the management of guest debts shall be stored until the recovery of debt. When Personal data are no longer necessary for the purposes of processing thereof or established retention period expires, Personal data shall be destroyed, with the exception of data that must be stored in accordance with applicable legislation.
2.5. Data subject, complying with the requirements of applicable legislation, shall provide the following data of Hotel guests to Statistics Lithuania: number of guests, country of origin of guests, arrival time, and number of nights spent.
Personal data processing for the purpose of personal and property protection, prevention of violations of law, infringer identification, detection of violations of law
2.6. The Controller shall set video surveillance system in the territory of the Hotel (common use premises of the Hotel, including restaurant) for the purposes of personal and property protection, prevention of violations of law, infringer identification, and detection of violations of law.
2.7. Video cameras shall record video data of persons and vehicles.
2.8. Video surveillance system shall not be used for monitoring:
2.8.1. in Hotel premises in which Data subject reasonably expects absolute privacy protection and such video surveillance would degrade human dignity;
2.8.2. hidden video cameras will not be used.
2.9. Video data shall be controlled and processed by the Controller.
2.10. Video surveillance data shall be stored for 2 (two) months and then will be automatically deleted.
2.11. Video surveillance data may be provided only to law enforcement institutions or any other public authorities where such data provision is required in accordance with the requirements of legislation.
2.12. Data subjects shall be notified about video surveillance in operation by signs alerting about video surveillance.
Personal data processing for the purpose of direct marketing
2.13. The Controller may process Personal data for the purpose of direct marketing (reductions, discounts, privileges and promotions) only upon receipt of advance consent of the Data subject. The consent of the Data subject must be expressed by active actions (by filling in guest registration card, ticking a box in a form, etc.). In connection with the consent, Data subject must receive information about the identity of the Controller, contact information, the purpose of personal data processing, the rights of the Data subject, including the right to withdraw the consent at any time, as well as other relevant information.
2.14. Advance consent of the Data subject regarding processing of Personal data for the purpose of direct marketing is not necessary, if offers are sent by e-mail at e-mail address received from the Data subject only for the marketing of own similar goods and services, provided Data subjects receive explicit, free and easily available opportunity to object or refuse such use of personal data and the Data subject did not initially object to such use of data when submitting each offer (by clicking on an active link or indicating e-mail address for sending notifications about objection to such use of data).
2.15. The following Personal data shall be processed for the purpose of direct marketing: name, surname, date of birth, home address, telephone number, e-mail address, hobbies, and signature.
2.16. The Controller confirms that Personal data for the purpose of direct marketing shall be collected only directly from the Data subject and shall not be collected from other sources.
2.17. Direct marketing shall be carried out by sending offers by e-mail.
2.18. The Data subject shall have the right to object to or withdraw the consent regarding processing of Personal data for the purpose of direct marketing at any time without specifying reasons by contacting the Controller by e-mail firstname.lastname@example.org or clicking on a link (unsubscribe) in received e-mail. The Data subject shall have the right to object to or withdraw his/her consent for processing of Personal data for the purpose of direct marketing, including profiling, to the extent it is related to direct marketing, at any time without specifying reasons for such refusal.
2.19. Where Data subject withdraws consent for processing Personal data for the purpose of direct marketing, the Controller shall immediately suspend processing of Personal data for the purpose of direct marketing and shall destroy such data no later than within 1 business day.
2.20. Personal data for the purpose of direct marketing shall be processed until the Data subject withdraws the consent for processing of Personal data or for 3 (three) years from the date of receipt of consent for processing of Personal data. At the end of 3 (three) year period, the Controller may contact the Data subject regarding resubmitting a consent.
2.21. Persons under the age of 14 cannot provide any Personal data for the marketing activity through Controller’s Website. Before providing personal information for the purposes of marketing, a person under the age of 14 must obtain the consent of his/her parents or other legal representatives.
Personal data processing for the purposes of statistics and marketing (when using Website)
2.22. When visiting Controller’s Website at the address www.narutis.com, the following information about person’s visit shall be collected: IP address, visit date and time, computer operating system and browser used, language setting, etc.
2.23. Controller’s Website www.narutis.com uses data analysis management tools – cookies. A cookie is information which is sent by internet server into internet browser and stored therein. This information is sent to internet server every time the browser requests the server to open webpage allowing the internet server to determine and monitor internet browser.
2.24. The main purpose of cookies is to remember preferences of a person who logged in and optimize the availability of the Website. Cookies are used to gather statistical information about the traffic of a website or separate parts thereof, also for identification of the devise used by the Data subject and facilitate the access of the Data subject to the Website and information contained therein and ensure smooth performance of the webpage.
3. RIGHTS OF THE DATA SUBJECTS AND IMPLEMENTATION THEREOF
3.1. Data subjects shall have the following rights:
3.1.1. right to information about processing of personal data;
3.1.2. right to access to Personal data processed by the Controller;
3.1.3. right to obtain rectification of inaccurate or incorrect Personal data;
3.1.4. right to obtain erasure of Personal data (right to be forgotten);
3.1.5. right to obtain restriction of Personal data processing;
3.1.6. right to object to Personal data processing;
3.1.7. right to Personal data portability;
3.1.8. right to free and unrestricted withdrawal of given consent where Personal data are processed on the basis of consent.
3.2. In all cases, the Controller, by collecting information about Data subject, shall provide the following information to the Data subject (except in cases Data subject already has such information):
3.2.1. name, legal entity code, legal address;
3.2.2. contact information of Controller’s Data Protection Officer (if any);
3.2.3. purpose and legal grounds for processing Personal data of the Data subject;
3.2.4. data recipients and categories thereof (if any);
3.2.5. data retention period or criteria used to determine that period;
3.2.6. other additional information (data sources; what Personal data the Data subject is required to provide and consequences of failing to provide data; Data subject’s right to get access to Personal data, obtain rectification of incorrect, incomplete, inaccurate Personal data), to the extent, it would be possible to ensure fair processing of Personal data without violating the rights of the Data subject; information about Data subject’s right to lodge a complaint to Supervisory authority;
3.2.7. about the provision of Personal data of the Data subject to third parties no later than by the moment the data are submitted for the first time, and if the Data subject does not know about the transfer of data to other parties.
3.3. The Controller shall enable the Data subject to exercise his/her rights, except in cases established by the law, where it is necessary to ensure national security, defence, public order, the prevention, investigation, detection or prosecution of criminal offences, important public economic or financial interests, the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of rights and freedoms of the Data subject and other persons.
3.4. Upon submitting personal identity document or under the procedure established by the laws or via electronic means of communication enabling proper identification of the person, Data subject shall have the right to get access to Personal data processed by the Controller and receive information about data sources and Personal data collected, the purpose of processing and data recipients to whom Personal data are disclosed.
3.5. In exercising Data subject’s right to data portability, only data processed on the ground of agreement or consent where processing is carried out by automated means shall be transferred. In such case, Personal data shall be provided to the Data subject in a structured, commonly used and machine-readable formats.
3.6. Replies to Data subject shall be submitted no later than within 30 (thirty) calendar days from the date of receipt of the request. Where the Controller does not intend to comply with the request of the Data subject, reasoned reply should be provided.
3.7. If, after getting familiar with his/her Personal data, the Data subject determined that such data were not processed lawfully and fairly, the Data subject shall contact the Controller and the lawfulness and fairness of Personal data processing must be verified free of charge. At written request of the Data subject, Personal data that have been unlawfully and unfairly collected must be immediately destroyed or the processing, with the exception of storage, must be suspended.
3.8. Data shall be provided to the Data subject free of charge. In certain cases (where Data subject abuses his/her rights, requests to provide information, extracts, documents from the Data subject are manifestly unfounded or excessive), the Data subject may be charged for such information and data in accordance with fees approved by the Controller.
4. PERSONAL DATA PROTECTION MEASURES
4.1. The Controller, in order to protect Personal data, shall implement and ensure proper organizational and technical measures for the protection of Personal data from accidental or unlawful destruction, alteration, disclosure, also, from any unlawful processing.
4.2. Personal data shall be processed by automated means, as well as by other than automated means by using the following personal data processing related organizational and technical measures:
4.2.1. the Controller shall ensure the security of premises where Personal data are stored, proper arrangement and maintenance of technical equipment, compliance with fire safety rules, proper network management, maintenance of information systems and implementation of other technical measures necessary to ensure the protection of Personal data;
4.2.2. if the Controller engages Processors for the processing of data, the Controller shall conclude agreements on Personal data processing. The Controller shall engage for the processing of Personal data only those Processors that are able to ensure sufficient implementation of technical and organizational measures in a way data processing would comply with the requirements of applicable legislation and the protection of the rights of the Data subject would be ensured. The Controller intending to engage third parties (other Processors) shall obtain advance written consent from the Data subject and ensure that engaged sub-processor would comply with the same requirements applicable to the Controller;
4.2.5. the employees of the Controller processing Personal data by automated means or using computers providing access to local network areas containing Personal data shall comply with the procedure for login to the computer, for creating, granting and changing the password to personal data storage media: passwords must be changed at least once per 6 (six) months or under certain circumstances (new employee, threat of break-in, etc.). The employee may know only his/her password.
4.3. When Personal data security breaches are detected, the Controller shall take immediate measures to prevent unlawful processing of Personal data.
5. RECORDS OF PROCESSING ACTIVITIES
5.1. The Controller shall maintain record of Personal data processing activities (hereinafter – Records of processing activities) containing detailed description of processing of Personal data.
5.2. The Records of processing activities shall be in writing, including in electronic form.
5.3. Data protection officer appointed by the Controller shall be responsible for maintaining Records of processing activities.
5.4. If Personal data processing or any other information related to processing of Personal data changes, the information contained in Records of processing activities shall be updated.
5.5. The Controller shall ensure the traceability of changes to Records of processing activities (who was the Data protection officer, what changes were made, when they were made, etc.).
5.6. Upon receipt of the request of Supervisory authority, the Controller shall provide maintained Records of processing activities.
6. DATA PROTECTION OFFICER
6.1. By the order of general manager of the Controller, Data protection officer (hereinafter – Officer) shall be appointed from current employees of the Controller or a third party contracted under service provision agreement.
6.2. Data subjects may contact the Officer on all matters related to processing of their Personal data and implementation of their rights.
6.3. Rights and obligations of the Officer:
6.3.1. shall have sufficient expert knowledge, both legal and practical, in the field of Personal data protection;
6.3.2. shall have the right to get involved in hearing all matters related to Personal data protection and privacy in the company of the Controller;
6.3.3. shall have the right to get familiar with Personal data, participate in data processing operations;
6.3.4. shall be obliged to assist in ensuring that Personal data processing in the company of the Controller would comply with the requirements of legislation regulating legal protection of Personal data by properly assessing data processing operation, nature, scope, context, purposes and potential risks;
6.3.6. shall notify general manager and employees of the company of the Controller about their duties under legislation regulating legal protection of Personal data and shall consult them on the performance of specific duties;
6.3.7. shall notify general manager of the company of the Controller about any inconsistencies, violations related to Personal data protection detected by the Officer while performing his/her functions;
6.3.8. shall consult the employees of the Controller working with Personal data on the matters of legal protection of Personal data;
6.3.9. shall collaborate and act as a contact person in relationships with Supervisory authority;
6.3.10. shall maintain and store data related to Personal data protection activity – Records of processing activities. The Officer shall be responsible for providing Records of processing activities to the Supervisory authority (upon request);
6.3.11. shall ensure secrecy and/or confidentiality related to the performance of his/her tasks in accordance with applicable requirements of legislation;
6.3.12. shall perform all other duties as established in legislation regulating Personal data protection;
6.3.13. shall not perform any other duties or functions that could result in conflict of interests with respect to his/her functions.
7. FINAL PROVISIONS