1.1 “Data Controller” means Upaitė, MB, Company Reg. No. 304545481, address: Augusto Dėvilaičio Str. 46, Šyša Village, Šilutė District LT99345, Republic of Lithuania, website: https://www.upaite.lt/. The data about the Company are collected and stored in the Register of Legal Entities of the Republic of Lithuania.
1.2 “Personal Data” means any information related to a Natural Person, i.e. Data Subject, whose is known or can be identified directly or indirectly by reference to the following data: personal ID No., one or more factors specific to the physical, physiological, physiological, economic, cultural or social identity of that person.
1.3 “Data Subject” means a Natural Person, from whom the Data Controller receives the personal data and processes it.
1.4 “Employee” means a person, who has concluded an employment or similar contract with the Data Controller and is appointed to process the Personal Data or, whose personal data are processed according to the decision of the Data Controller.
1.5 “Data Recipient” means a Legal Entity or a Natural Person, to which the personal data are submitted.
1.6 “Data Provision” means disclosure of the personal data by transferring or making them available otherwise (except publication in the media).
1.7 “Personal Data Processing” means any operation with the Personal Data: collection, recording, accumulation, storage, classification, grouping, organisation, alteration (supplement or correction), submission, publication, use, logic and/or arithmetic operations, search, dissemination, destruction or another operation or set of operations.
1.8 “Automatic Data Processing” means data processing actions carried out by automatic means fully or partially.
1.9 “Data Processor” means a Legal Entity or Natural Person (not the Data Controller’s employee) authorised by the Data Controller to process the Personal Data. The Data Processor and (or) the procedure appointed by the Data Processor can be determined by the laws or other legal acts.
1.10 “Third Party” means a Legal Entity or Natural Person, except the Data Subject, Data Controller and persons who, under the direct authority of the Data Controller or Data Processor, are authorised to process Personal Data.
1.11 “Consent” means a free statement of the Data Subject will to process his/her Personal Data for the known purpose. The Consent to process specific Personal Data has to be expressed clearly in writing equivalent to it or in another form unequivocally proving the Data Subject’s will.
1.12 “Direct Marketing” means an activity of direct offering by mail, phone or otherwise of goods or services for people and (or) asking for their opinion about the goods and services offered.
2.1 These RULES OF UPAITĖ, MB PERSONAL DATA PROCESSING AND USE (hereinafter referred to as “the Rules”) regulate the actions of the Data Controller and Data Controller’s employees while processing the Personal Data, as well as set the rights of the Data Subject, implementing measures for the protection of the Personal Data and other issues related to the processing of the Personal Data.
2.2 The Data Controller collects the Personal Data of the Data Subject, who submits the Data coming directly the Data Controller office using the Data Controller’s website https://www.upaite.lt, e-mail, registered mail, phone, filling in travel forms or other using other means.
2.3 The Data Controller undertakes to use the information submitted by the Data Subject exclusively for the purposes specified in these Rules, not to reveal this information to any third persons without the Data Subject’s consent except to the Data Controller’s partners providing tourism or other services related to the proper performance of the services ordered by the Data Subject.
2.4 The Data Controller can also transfer the Data Subject’s Personal Data to the third persons acting on behalf of the Data Controller as the Data Processors. The Personal Data can be submitted only to those Data Processors, with whom the Data Controller has relevant contracts signed.
2.5 Purposes to process the Data Subject’s Personal Data:
2.5.1 To administer services provided by the Data Controller and fulfilment of the contractual obligations;
2.5.2 For electronic trading purpose;
2.5.3 For direct marketing purposes.
PERSONAL DATA PROCESSING
3.1 The Data Subject submitting the Personal Data to the Data Controller confirms and agrees that the Data Controller would control and process the Data Subject’s Personal Data following these Rules, laws in force and other normative legal acts.
3.2 The Personal Data of the Data Subject are processed in non-automatic and automatic ways using technical and organisational means installed by the Data Controller.
3.3 The information collected by the Data Controller: The Data Subject’s name, surname, address, e-mail address, phone number, data of ID documents (passport, ID card) (date, place of issue, date of expiry, number), personal ID number, date of birth, sex, data of credit/debit cards, bank accounts, data of the persons travelling with the Data Subject.
3.4 The information about the Data Subject visit collected on the Data Controller’s website: IP address; visit date and time; computer operating system and the browser used; language settings, etc.
3.5 If the Data Subject uses mobile device, the information about the mobile device type, settings and geographical coordinates are collected.
3.6 The Data Controller’s employees performing their duties and processing the Personal Data of the Data Subject follow these principles:
3.6.1 Collect, process, store the information submitted by the Data Subject only for the legitimate purpose and only the data necessary for administration of the services provided by the Data Controller.
3.6.2 Collecting and processing the Personal Data do not require from the Data Subject to submit the data not necessary for administration of the Data Controller’s services .
3.6.3 The Data Subject’s Personal Data can get only those Data Controller’s employees, who have been authorised by the Data Controller to provide the service.
3.6.4 The Company’s employees do not reveal the Data Subject’s Personal Data to the third persons, except the cases provided by the laws or if it is necessary in order to provide the Data Controller’s services provided by the contract.
3.6.5 The Data Controller’s employees collecting, processing and storing the Data Subject’s data have to follow the requirements of the Law of the Republic of Lithuania on the Legal Protection of Personal Data, Civil Code of the Republic of Lithuania and these Rules.
3.7 The Data Subject’s Personal Data are stored no longer as it is required by the data processing purposes, laws and other legal acts.
4.1 Data analysis and management tools, i.e. cookies, are used on the Data Controller’s website https://www.upaite.lt. The cookies are small files that a website places on the Data Subject’s computer. The main purpose of the cookies is to remember the Data Subject’s choices and to optimise the accessibility of the website.
4.2 The cookies are used to collect statistical information about the visit of the website or its individual parts and to identify the Data Subject’s device and facilitate the Data Subject’s access to the website and the information contained therein and ensure the smooth operation of the website. The cookies are not used to collect the Personal Data.
4.4 The Data Subject can select which cookies to allow/block in the appropriate column by ticking/unticking the box. After blocking the cookies, some parts of the website may not function or function improperly for the Data Subject due to the technical reasons. The Data Subject for getting more information on the current list of the cookies used on the Data Controller’s website or to configure the use of the cookies can do so by visiting https://www.upaite.lt/privatumo-politika.
5. EXERCISE OF DATA SUBJECT RIGHTS
5.1 The Data Subject has the following rights:
5.1.1 to be aware (informed) of the Personal Dara processing
5.1.2 to familiarise with the Data Subject’s Personal Data and the way they are processed
5.1.3 to require to correct, destroy the Data Subject’s Personal Data or to suspend the Data Subject’s Personal Data processing, except storage, when the data are processed violating the provisions of the legal acts in force
5.1.4 to not agree with the processing of the Data Subject’s Personal Data.
5.2 The Data Subject can agree or disagree with the use of the Personal Data submitted by the Data Subject for the Data Controller’s marketing purposes expressing the consent/disagreement in the relevant section of the tourism service contract with the signature or by ticking/unticking the appropriate box on the website.
5.3 The Data Subject can agree or disagree with the use of the Personal Data submitted by the Data Subject for the Data Controller’s marketing purposes filling in the forms submitted by the Data Controller after the trip, other forms of games, quizzes, promotions, etc. performed by the Data Controller expressing the consent/disagreement by ticking/unticking the appropriate box.
5.4 The Data Subject visiting the Data Controller’s website has an opportunity to subscribe to the newsletters by entering the Data Subject’s e-mail address in the appropriate field and clicking “SUBSCRIBE”. The Data Subject has an opportunity to refuse a newsletter or other information sent to the Data Subject by clicking on the link provided by the Data Controller to unsubscribe from offers and news
5.5 The Personal Data are collected, processed and used for the direct marketing purposes in a way not allowing revealing the Data Subject’s identity.
5.6 If the Data Subject visits the Data Controller’s website and submits the information about the Data Subject to the Data Controller’s employees or Data Processors, it is considered that the Data Subject has familiarised and agreed with the provisions of these Rules.
5.7 If the Data Subject does not agree with the Personal Data Processing Rules, the Data Subject has the right to suspend the Personal Data processing as it is specified in paragraph 5.1.4 of these Rules.
5.8 The Data Subject on all issues relating to data protection and exercising the Data Subject’s right to familiarise with data processing, edit the data or refuse the data processing for direct marketing purposes, may also exercise by informing the Data Controller directly, by telephone, mail or e-mail: email@example.com.
6. MEASURES FOR THE PERSONAL DATA PROTECTION
6.1 In order to ensure the personal data protection, the Data Controller implements the personal data protection administrative, hardware, software and computer networks protection measures.
6.2 HTTPS and SSL Certificate are used within the reservation system and website https://www.upaite.lt used by the Data Controller, therefore all the Data Subject’s Personal Data are coordinated and protected from malicious activity and illegal access through computer networks.
6.3 Access to the Personal Data is provided only to those Employees, who need it to fulfil their work functions. Certain Employees may perform only those actions with the Personal Data, for which they are entitled in accordance with their positions and work functions.
6.4 Access to the Data Controller’s reservation system is protected with unique passwords, whose confidentiality is guaranteed.
6.5 The Data Controller ensures the security of the premises, where the Personal Data are stored.
6.6 Antivirus programmes are constantly used and periodically updated in computerised workplaces.
6.7 The real Personal Data are never used to test information systems.
7. FINAL PROVISIONS
7.1 Supervision of compliance with the Personal Data Processing Rules and, if necessary, review, is entrusted to the Head of the Data Controller or authorised person.
7.2 Additions or changes to the Personal Data Processing Rules come into force from the moment of their publication on the Data Controller’s website: https://www.upaite.lt.
7.3 All disputes arising due to fulfilment of these Rules are solved by negotiaiton. If it is impossible to agree, the disputes are solved in accordance with the procedure established by the legal acts of the Republic of Lithuania.
7.4 Responsible employees of the Data Controller have been familiarised with these Rules against signature.
Prenumeruokite mūsų naujienlaiškį!