PRIVACY POLICY

This Privacy Policy applies to and is used by companies within the UAB Baltic Asset Management group of companies and companies affiliated with UAB Baltic Asset Management.

I.      GENERAL PROVISIONS

1. UAB Baltic Asset Management ensures that personal data is processed in a lawful, fair and transparent manner, that it is collected for specified and explicit purposes and that it is not processed in a manner inconsistent with those purposes.
2. For the purposes of this Privacy Policy:

• “Personal data” shall refer to any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is a person who can be identified, directly or indirectly, primarily by reference to an identifier such as a name, a personal identification number, location data and an online identifier, or by reference to one or more attributes specific to that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity;
• “Data Controller” shall refer to UAB Baltic Asset Management, reg. No 304602224, registered office address: Upės g. 21, Vilnius;
• “Data Subject” shall refer to any customer of the Company, who may be any natural person whose personal data is processed by the Data Controller;
• “Data processing” shall refer to any operation or sequence of operations which is performed by automated or non-automated means on personal data or sets thereof, such as collection, recording, sorting, organisation, storage, adaptation or alteration, retrieval, access, use, disclosure by transfer, dissemination or any other means of communication, collation or combination with other data, restriction, erasure or destruction.

3. The concepts, principles and other provisions used in this Privacy Policy are in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation,” hereinafter referred to as the “GDPR”), the Law son Legal Protection of Personal Data of the Republic of Lithuania, and other relevant legislation.
4. The Data Subject shall be considered to have read and understood this Privacy Policy when they voluntarily enter their data (email address and telephone number) on the Company’s website at www.youston.lt.

 

5. Please be advised that the Data Controller:
6. Processes personal data in a lawful, fair and transparent manner with respect to the Data Subject (principle of lawfulness, fairness and transparency);
7. Collects personal data for specified, explicit and legitimate purposes and does not process personal data in a manner inconsistent with those purposes (principle of purpose limitation);
8. Only collects personal data that is adequate, relevant and only as necessary for the purposes of processing (principle of data minimisation);
9. Only processes accurate personal data and updates it as necessary; takes all reasonable steps to ensure that personal data which is inaccurate in relation to the purposes for which it is processed is either erased or rectified without undue delay (principle of accuracy);
10. Stores personal data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed (principle of storage limitation);
11. Processes personal data in such a way as to ensure, through appropriate technical or organisational measures, the adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss or destruction (principles of integrity and confidentiality);

• The Data Controller is responsible for ensuring compliance with the above principles and must be able to demonstrate such compliance (principle of accountability).
• The use of third-party services, such as the use of the Data Controller’s profiles on social media, may be subject to the terms and conditions of those third parties. Therefore, when using such third-party services, it is advisable to also read the terms and conditions thereof.

II.     PERSONAL DATA, PURPOSES OF PROCESSING, LEGAL GROUNDS AND STORAGE

Personal Data	Purpose	Legal grounds
full name, personal identification number or date of birth, telephone number, email address, residential address, bank account number (for payment for services), data on the real estate purchased/sold/owned by the Data Subject (extract on the property from the Real Estate and Cadastral Register of the State Enterprise Registrų centras), IP address, email and social media correspondence (excl. public records).	For the purpose of providing and performing the Company’s services, purchasing and participating in the Company’s activities, for invoicing purposes, for data analysis purposes, and for the purpose of creating and improving the content of the website, describing products and services, and including the proper functioning of the website.	Your consent, the conclusion and performance of the Contract between the Company and you, the conclusion of the Contract with the Data Provider, our legal obligations under applicable law, including compliance with accounting and tax requirements, and our legitimate interests and the legitimate interests of third parties in the timely receipt of payments and arrears.
full name, telephone number, and email address.	For direct marketing purposes	Your consent
comment, full name, telephone number, and email address.	For the purposes of administering customer enquiries and providing high-quality services	Your consent, the conclusion and performance of the Contract between the Company and you
Information on the final beneficiary and policy participants	We process this personal data in order to carry out the AML/CFT, CDD/KYC and Sanctions Enforcement Verification procedures	Our legal obligations under applicable law, including AML/CFT and Sanctions Enforcement legislation; our legitimate interests and those of third parties (to protect our interest)

         

9. Storage of personal data:

• Personal data in connection with the Company’s core business, i.e. the purchase and sale of real estate, project management and development, shall be stored for a period of 10 (ten) years. This period is provided in view of the potential inspections initiated by various public authorities (State Tax Inspectorate, SoDra, etc.), which may be initiated 5 (five) years following the conclusion of any given contractual relationship (e.g. a contract), and which may include a requirement for data relating to the preceding 5 (five) years;
• Personal data obtained for the purpose of direct marketing (i.e. offering Data Subjects to buy/sell/otherwise dispose of real estate of their interest, in part or in full, or to contribute to real estate projects under development) shall be stored for a period of five (5) years from the date of obtaining such data;
• Personal data obtained for the purpose of administering enquiries shall be stored for a period of 1 (one) year from the date of obtaining such data;
• Personal data obtained for the purpose of invoicing shall be stored in accordance with the legal requirements applicable to accounting.

10. The Data Subject may at any time submit a request to withdraw consent to the processing of their personal data by sending an email to info@balticam.lt or by visiting the Company’s office at Upės g. 21 in Vilnius.

 

11. The Data Controller collects personal data from the following sources:

 

• directly from the Data Subject;
• from publicly available sources, i.e. the Company collects publicly available data of business partners and/or their representatives from publicly available information systems (social media, public databases, etc.) in connection with the preparation of relevant tenders, project development, etc.;
• from the Company’s database, which includes all real estate brokers operating in Lithuania. Their data is publicly available and accessible. Each time the Company sends a relevant enquiry to a broker, the email gives the broker the opportunity to opt out of any relevant offers of future cooperation.

12. Recipients of your personal data. The Data Controller undertakes not to disclose any personal data processed by it to third parties, except in the following cases:

 

• if the Data Subject has given consent to such disclosure of their personal data;
• when the data is provided to Data Processors for accounting, online system support, payment and other services. These Data Processors are third parties whose services we use to ensure the functionality of our services and our website. Personal data will only be transferred to these third-party service providers to the extent that is necessary to ensure that the third party is able to provide their services. We have ensured that all service providers, the third parties to whom we transfer your personal data, comply with our processing instructions with respect to your personal data. The transfer of your personal data is governed by the data processing agreement or processing terms and conditions that we have agreed with the third-party service providers;
• Personal data may be disclosed to companies affiliated with the Data Controller, as well as to companies that provide services at the request of the Data Controller, e.g. banks/companies that assist with payment transactions. These companies are limited in their ability to use your information; they cannot use this information for purposes other than to provide a service to the Data Controller;
• Personal data may be disclosed to other parties where required to do so by law or as necessary to protect the provision of information society services;
• Personal data may be transferred in the course of legal proceedings as well as in the context of any leasing services we may offer to our clients for the purpose of debt recovery;
• Personal data may be transferred to UAB Baltic Asset Management group companies, partners and institutions where such obligation is imposed on us by laws and regulations, or for the purposes of providing certain services related to the Company and the group of companies;
• Personal data may be disclosed for other relevant purposes in the performance of the Company’s statutory obligations.

Where we use social media, filtering and targeted marketing tools related to visits to social media pages to obtain statistical data, the providers of social media services (for example, Facebook, LinkedIn, Instagram) together with the Company shall be the joint Data Controllers of the personal data processed in relation to you. Cases where the Data Controller may disclose personal data of the Data Subject to other parties:

• to comply with the law or in response to a mandatory court order;
• to prove the legality of its actions;
• to protect the Data Controller, its rights and property, or to ensure its security;
• to any related third party in the event of a merger, transfer or bankruptcy;
• in other cases, with the consent of the Data Subject or upon a legitimate request.

 

13. By submitting personal data, the Data Subject authorises the Data Controller to collect, store, systematise, use and process, for the purposes specified in this Privacy Policy, all personal data that is submitted, directly or indirectly, by the Data Subject when visiting the Website.
14. It is the responsibility of the Data Subject to ensure that the data provided is accurate, correct and complete. Entering data that is known to be incorrect shall be considered a breach of the Privacy Policy. If the data provided has changed, you must correct it immediately and, if this is not possible, inform the Data Controller. In no event shall the Data Controller be liable for any damage caused to the Data Subject and/or third parties as a result of the Data Subject providing incorrect and/or incomplete personal data or failure to apply for the data to be supplemented and/or amended in the event of any changes thereto.

  The Data Controller shall not collect any sensitive information about the Data Subject. The Data Controller shall not perform automated decision-making or profiling based on the information about the Data Subject. The Data Controller shall not share the personal data of the Data Subject with any entities outside the European Economic Area.   The Data Controller may share personal data with UAB Baltic Asset Management group companies and companies related to UAB Baltic Asset Management.

III.  COOKIES

The Data Controller uses cookies on its Website to ensure the proper processing of information about Data Subjects (the “Visitors”) when they visit the Data Controller’s Website.   Cookies are files that store information on a Visitor’s computer hard drive or the search engine. Cookies can be used to identify visits to the Data Controller’s Website, to monitor the history of visits and to tailor the Website’s content accordingly. Cookies are also used to ensure the most user-friendly browsing experience and the seamless functioning of the Website, to monitor the duration and frequency of visits and to collect statistical information about the number of visitors to the Website. They also help us to improve the functioning of the Website and to implement other improvements and tailor the Website to the best needs of its Visitors.

16. The websites and social media accounts managed by the Data Controller allow the Data Subject to provide information directly to the Data Controller (for example, by subscribing to the newsletter on the website). The following information is obtained directly from the Data Subject:

• the email address.

  The following information is obtained indirectly:

• information on the way the Data Controller’s websites are used, such as the following details:
• device information, i.e. IP address, operating system version and settings of the device used by the Data Subject to access the content/products on the Website;
• login information, i.e. the time and duration of the Data Subject’s session, the terms of queries made by the Data Subject on the Data Controller’s websites and any information stored in cookies stored on the Data Subject’s device;
• location information, i.e. the GPS data of the device or information about the nearest Wi-Fi access points and cell towers, which may be communicated to the Data Controller by the Data Subject when accessing the content of the Data Controller’s websites;
• information from third-party sources.

  The Data Controller may obtain information about the Data Subject from public and commercial sources (to the extent permitted by applicable law) and link it with other information received from, or about, the Data Subject.   The Data Controller may also obtain information about the Data Subject from third-party social media services when the Data Subject has accessed them, for example, through their accounts on Facebook.   The Data Controller may collect information about the Data Subject, their device or their use of the websites’ content, but only with the Data Subject’s consent.   The Data Subject may choose not to provide the Data Controller with certain information (e.g. information required for subscriptions or marketing). In such a case, the Data Controller will not be able to provide the Data Subject with the most recent offers or to contact the Data Subject promptly when the most appropriate offer is available to the Data Subject.

17. The processing of personal data by means of cookies does not enable direct or indirect identification of any Visitors to the Website.
18. Any Visitor to the Website may delete cookies from their computer or block them in their web browser. However, some of the functionality of the Website may not be available or may not function correctly.

 

NAME	PROVIDER	DESCRIPTION, INTENDED PURPOSE	STORAGE DURATION
gdpr	.youston.lt	A system cookie that detects and collects information about a visitor’s consent in their privacy settings.	Until the website window is closed
pll_language	.youston.lt	To save language settings	1 year

  Third-party cookies:

NAME	PROVIDER	DESCRIPTION, INTENDED PURPOSE	STORAGE DURATION
_GRECAPTCHA	www.google.com	Google reCAPTCHA saves the required cookie (_GRECAPTCHA) whenever it is triggered in order to provide a risk analysis.	6 months
_ga_<container-id>	.youston.lt	This cookie is used by Google Analytics to maintain the session status.	2 years
_ga	.youston.lt	To identify the goals of the visitors to the website, to report to the website operators on the performance of the website and to improve the visitors’ experience of browsing the website.	2 years

 

IV.  RIGHTS OF DATA SUBJECTS

19. The Data Controller shall guarantee the exercise of the Data Subject’s rights below and the provision of any relevant information at the request or inquiry of the Data Subject:

• to know (be informed) about the processing of their personal data;
• to have access to their personal data and to know how it is processed;
• to request the rectification or destruction of their personal data, or the suspension, other than storage, of the processing of their personal data;
• to object to the processing of their personal data, including in the context of direct marketing;
• to request the erasure of their personal data (“the right to be forgotten”);
• to seek the portability of their personal data, i.e. to access their personal data in a standard and computer-readable format;
• to lodge a complaint with the State Data Protection Inspectorate.

  The Data Controller may prevent Data Subjects from exercising the above rights where, in cases provided for by law, it is necessary for the prevention, investigation and detection of crimes and breaches of official or professional ethics, as well as for the protection of the rights and freedoms of the Data Subject and other individuals.  

20. A Data Subject who has presented a document verifying their identity or who has verified their identity by means of electronic communications (provided that they enable adequate identification of the person) in accordance with the procedure established by law, shall have the right to access their personal data processed by the Company free of charge at any time, by submitting a request to the Data Controller, and to obtain information on the sources used to collect their personal data, the purpose of processing, and the recipients to whom the personal data is and has been provided within the last 1 (one) year. The Data Subject shall also have the right to request the rectification of incorrect, incomplete or inaccurate personal data and to request the suspension, except for storage, of the processing of their personal data where the processing of the personal data is not in compliance with the applicable laws and the terms of this Privacy Policy.
21. The Data Subject may submit a request form for the exercise of their rights referred to above to the Company’s office at Upės g. 21 in Vilnius, or by sending such a request by email to info@balticam.lt.
22. To the extent that the processing of personal data is subject to consent, the Data Subject shall have the right to withdraw their consent at any time, without affecting the lawfulness of the consent-based processing prior to the withdrawal of this consent, as provided for in the Privacy Policy.

 

23. The Data Controller’s website(s) or social media accounts may contain links to third-party websites and services which are not controlled by the Data Controller. The Data Controller is not responsible for the security and privacy of information collected by third parties. It is the Data Subject’s responsibility to be cautious and to read the privacy statements governing the use of third-party websites and services as accessed by the Data Subject.

 

24. If the Data Subject is not satisfied with the Data Controller’s response or considers that the Data Controller is not processing their personal data in accordance with the legal requirements, the Data Subject shall have the right to lodge a complaint with the State Data Protection Inspectorate of the Republic of Lithuania.

V.    FINAL PROVISIONS

25. Legal relations in connection with this Privacy Policy shall be governed by the law of the Republic of Lithuania.
26. The Data Controller shall not be liable for any damage, including damage caused by interruptions to the use of the Website, for any loss or corruption of data caused by the Data Subject themselves or by the acts or omissions of third parties operating with the Data Subject’s knowledge, including any incorrect data input, other types of errors, intentional tampering, or any other misuse of the Website. The Website provider shall also not be liable for any interruptions in access to and/or use of the Website and/or any damage caused by such interruptions due to the acts or omissions of third parties not related to the Data Controller or the Data Subject, including power outages, internet access failures, etc.
27. The Data Controller shall have the right to amend the Privacy Policy in part or in full. This Privacy Policy shall be reviewed once every 2 (two) years and updated as necessary.
28. Any amendments or changes to the Privacy Policy shall become effective from the date of their publication on the Website.
29. If the Data Subject continues to use the Website following an addition or amendment to the Privacy Policy, the Data Subject shall be considered not to have objected to such additions and/or amendments.

_____________________    

RULES ON VIDEO SURVEILLANCE AND VIDEO DATA PROCESSING

I.       GENERAL PROVISIONS

1. The Rules on Video Surveillance and Video Data Processing (hereinafter referred to as the “Rules”) regulate and include the surveillance, recording and processing of video data (reviewing, storing, transferring, sharing, using), granting, revoking and amending the access rights and authorisations to process personal data, procedures for managing and responding to data security breaches, and rules for exercising the rights of Data Subjects and for handling their requests, as well as ensuring compliance with and implementation of the Law on Legal Protection of Personal Data of the Republic of Lithuania, the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as “GDPR”), and of other laws and regulations governing the processing and protection of personal data, as relates to the premises, the buildings and the outdoor territory of UAB Naujamiesčio NT (hereinafter referred to as the “Company”).
2. These Rules have been prepared in accordance with the Law on Personal Data Protection of the Republic of Lithuania (hereinafter referred to as the “LPDP”), the GDPR and its implementing legal acts, the Order No 1T-71(1.12) of 12 November 2008 of the Director of the State Data Protection Inspectorate “On the Approval of the General Requirements for the Organisational and Technical Measures for Personal Data Security”, and other laws and regulations governing personal data processing and protection.
3. For the purposes of these Rules:
   • “Data Controller” or “Joint Data Controllers” shall refer to UAB Naujamiesčio NT, reg. No 303422091, Smolensko g. 10, Vilnius, email: info@balticam.lt, tel.: +37065261041, and UAB Baltic Asset Management, reg. No 304602224, Upės g. 21, Vilnius, email: info@balticam.lt, tel.: +37065261041.
   • “Data Processor” shall refer to UAB Naujamiesčio NT, reg. No 303422091, Smolensko g. 10, Vilnius, email: info@balticam.lt, tel.: +37065261041.
   • “Data Subject” shall mean a natural person whose personal data is processed for the purposes specified in the Rules.
   • “Personal data” shall refer to any information relating to a Data Subject whose identity is known or can be established, directly or indirectly.
   • “Access to video recording equipment” shall mean access, either physical or by electronic means, enabling a person to modify, remove or update the components or software of the technical video equipment, to set the operating parameters of the video equipment, and to have access to any personal data collected in the course of video surveillance.
   • “Video Surveillance” shall refer to the processing of video data relating to a natural person by means of automated video surveillance tools (video cameras), regardless of whether the data is stored in any medium.
   • “Video Surveillance System” shall include servers and/or video data recorders, CCTV cameras and data storage media used to store video data.
   • “Video Data Recorders” shall mean digital devices contained in the Company’s asset register for capturing, recording, storing, viewing and copying video data.
   • Other terms used in the Rules shall be understood as defined in the LPDP, the GDPR and other applicable laws of the Republic of Lithuania.

II.     PURPOSE, SCOPE AND LEGAL BASIS OF VIDEO SURVEILLANCE

4. The purpose of video surveillance is to provide a preventive security measure aimed at protecting the property and assets of the Company, its employees and customers, as well as ensuring public order and a safe environment. The legal basis for the video surveillance is the legitimate interest of the Joint Data Controllers (Article 6(1)(f) of the GDPR). Where damage to property or a person is identified, the Data Controllers are authorised to transfer this data to third parties in order to investigate and determine the origin of the damage.
5. Video surveillance cameras are installed at Smolensko g. 10 in Vilnius.
6. Video surveillance cameras are used to monitor the following:
   • Outdoor areas of all premises, including entrances, exits, on-site car parks and all other public spaces within the premises;
   • Internal communal areas of all premises, including corridors, building entrances and exits, communal kitchens and lounges;
   • Indoor and outdoor areas are subject to 24-hour video surveillance.
7. Surveillance video data shall be recorded on a data storage device and stored on digital media for a minimum of 30 calendar days. Due to the limited capacity of the hard disk, the video recorder shall automatically delete the oldest video recordings and record the most recent video feed in the free storage space available. The employees responsible for the supervision of the video surveillance system, as specified in these Rules, shall ensure the continuity of the video data recording and shall maintain the system in good working order.

III.  PROCESSING OF VIDEO SURVEILLANCE RECORDINGS

8. The Director of the Company and their authorised person, the administrators of the premises, and the employees of the security service (hereinafter referred to as the “employees responsible for the supervision of the video surveillance system”) shall have the authority to process all recorded video surveillance data and shall bear the responsibility for the organisation of video surveillance, the processing of the video surveillance data, its transfer to third parties and the protection of the video surveillance data in accordance with the provisions specified herein, unless the system is experiencing a technical failure or undergoing preventive maintenance work. The employees concerned, who shall have the right of access to the video data, have all signed a declaration of confidentiality and have undertaken to comply with the requirements established by the legislation on the protection of personal data.
9. The employees responsible for the supervision of the video surveillance system must:
   • ensure that the video surveillance data is not used for purposes other than those defined in these Rules;
   • ensure that the video surveillance cameras are installed in such a way as to ensure that, given the stated purpose of the video surveillance specified herein, the video surveillance does not cover a larger area of the territory or premises than is necessary and does not collect more video data than is necessary;
   • comply with the key principles of video data processing and the confidentiality and security requirements set out in the LPDP, the GDPR, these Rules and other applicable legislation;
   • ensure that the video surveillance system is in good working order and that any technical faults in the system are rectified promptly, using all available technical resources;
   • take the necessary organisational and technical measures to ensure the security of personal data in order to prevent accidental or unlawful destruction, loss, alteration, disclosure or any other unauthorised processing of the video data;
   • safely store video data contained in the video data recorders and/or media;
   • not disclose, transmit or allow access by any means to the video data to any unauthorised persons;
   • ensure that information signs (CCTV signs) are displayed at the entrances, premises and territories of and around the Company’s building, where video surveillance is implemented, with the following information: “These premises and common areas are under CCTV surveillance for your safety (orig. Teritorija ir bendrojo naudojimo patalpos Jūsų saugumo tikslais stebimos vaizdo kameromis). Data Controller – UAB Naujamiesčio NT, reg. No 303422091, T: +370 650 22531, E: info@balticam.lt“.
   • ensure that the information signs are displayed and visible when entering the video surveillance area;
   • record the transfers of video surveillance data in the Video Surveillance Data Transfer Log;
   • ensure that the area monitored by the video surveillance cameras does not extend to the residential premises and/or private areas or entrances thereto, as well as to such premises where the Data Subject has a reasonable expectation of absolute privacy and where such monitoring would be degrading to their dignity;
10. If the employees responsible for the supervision of the video surveillance system, or other employees of the Company, discover that the video surveillance data they are processing has been made available to persons who are not authorised to process the data (or attempts have been made to access it), they shall:
    • take all practicable measures immediately to terminate unauthorised access to the personal data being processed;
    • inform the employee responsible for the supervision of the video surveillance system and/or the Director of the Company immediately;
    • report the incident immediately to the responsible employee, who must then record the incident in accordance with the Company’s procedures.
11. The access rights to the recorded video surveillance data shall be terminated upon the termination of the authorisation of the employee processing the video data, the termination of their employment relationship, or any change in the employee’s functions which do not necessitate such access to the video data.

IV.   PROVISION OF VIDEO DATA AND DATA RECIPIENTS

12. In the cases and manner prescribed by law, the Company shall provide video surveillance data it processes to any law enforcement authorities and to other persons legally or contractually entitled to receive such data. Likewise, at the request of the data recipients in the event of at least one of the grounds for the lawful processing of personal data referred to in Article 6 of Regulation (EU) 2016/679 (GDPR). The request must specify the purpose of using the video data, the legal basis for its provision and receipt, and the scope of the video data requested.
13. In the event of damage or unlawful conduct recorded on the premises, further investigation of these events may require the personal data to be transferred to the persons investigating the event, i.e. the Data Controllers’ employees, who are tasked with the duty of investigating the circumstances of the event. Such personal data shall be processed by the employees in compliance with the requirements provided for by law.
14. The decision on the provision of video data shall be taken by the Director of the Company or a responsible person authorised by the Director.
15. All employees have the right to access their video data with the consent of the Director. Such employees are obliged to comply with the requirements established by the legislation on the protection of personal data when exercising this right.

V.     ORGANISATIONAL AND TECHNICAL MEASURES FOR PERSONAL DATA SECURITY

16. The following organisational and technical measures for personal data security have been implemented to ensure the security of video data:
    • access to live video surveillance is limited to those employees whose job functions necessitate the use of live video surveillance data;
    • only the employees responsible for the supervision of the video surveillance system, as specified in these Rules, shall be authorised to process the recorded video surveillance data;
    • access to video data is secured, managed and protected (with passwords);
    • personal data is protected against unauthorised access to the local area network through electronic communications;
    • the premises where the video data is stored are kept secure and the data storage devices are suitably protected (the data storage devices are kept in locked rooms/lockers, and unauthorised persons are restricted from entering such premises, etc.);
    • the computer equipment is protected against malicious software (the computer has anti-virus software, it is fully updated, etc.);
    • the fact that video surveillance is performed shall be displayed in all cases, regardless of whether some designated areas are not being monitored at certain times (e.g. a video surveillance camera is not in operation at all times or operates at fixed intervals, etc.).

VI.   RIGHTS AND OBLIGATIONS OF THE DATA SUBJECT

17. The Data Subject has the following rights:
    • to know (be informed) about the processing of their personal data;
    • to access their personal data;
    • to request the erasure of their personal data (“the right to be forgotten”) if the video data is stored for longer than the retention period specified in these Rules, or to restrict the processing of their personal data;
    • to object to the processing of their personal data.

 

18. The Data Subject’s right to know about the processing of their personal data shall be exercised as follows:
    • Any persons who are not employed by the Data Controller or the Data Processor and whose video data are processed in the course of video surveillance shall be informed of the ongoing video surveillance as follows:
      • By displaying information signs throughout the premises where video surveillance is in operation. The information signs must indicate that video surveillance is in operation, the legal names and registration numbers of the Joint Data Controllers, the contact telephone number of their representative, and the purpose of the video surveillance;
      • When signing lease agreements for premises or workspaces with individuals. The person is obliged to inform any visiting third parties of the video surveillance in operation.
    • The Data Controller’s employees shall be informed of the video surveillance in the workplace (if the workplace is located at the premises subject to video surveillance):
      • Either on approval of these Rules or on the first working day.

 

19. The Data Subject’s right of access to their video data shall be exercised as follows:
    • A copy of the recorded surveillance video (if the recording is saved) may be issued only at the written request of the Data Subject or in accordance with the procedure established by the legislation (specifying the purpose of using the personal data, the legal basis for the provision and receipt of the personal data, and the scope of the personal data to be provided). Such a request shall be accompanied by a document identifying the person. If the request is sent by post or by courier, it shall be accompanied by a notarised copy of the Data Subject’s identity document. Where a representative of the person requests information on the person, they must provide proof of representation and their personal identification document.
    • In response to a request from a Data Subject concerning the processing of their personal data, following verification of the Data Subject’s identity, the Data Subject shall be provided with information as to whether or not personal data relating to them is being processed and shall be provided with the data requested (that is, the Data Subject shall be given the opportunity to view the video or be provided with a copy of the video or still image at their request).
    • As part of the exercise of the Data Subject’s right of access to their video data, the right to privacy of third parties must also be ensured, meaning that, if the video being accessed by the Data Subject shows other identifiable persons or any other information likely to violate the privacy of other persons, the images must be retouched or otherwise rendered so as to prevent the identification of any third parties.
    • Following a request for access to video data from a Data Subject, a reply as to whether or not the video data relating to the Data Subject is processed shall be provided in writing no later than 25 (twenty-five) days from the date of the request.
20. The Data Subject’s right to object to the processing of their video data shall be exercised as follows:
    • The Data Subject’s right to object to the processing of their video data applies to the provision of the video data or to any other processing operation, such as the use of the video data, in accordance with Article 5(1)(5) and 5(1)(6) of the LPDP.
    • The Data Subject’s right to object to the processing of their video data shall be exercised prior to the processing of the video data, on the grounds referred to in Clause 19.2 herein, by informing the Data Subject in writing with the following information: the intention to process the video data (e.g., provision, use, etc.), indicating that the Data Subject has the right to object to such processing, explaining that the objection must have a legal basis and be expressed by means of a written notice to the Data Controller, whether in person, by post or by electronic means, and setting a reasonable time limit within which the Data Subject has the right to express their opinion.
21. The Data Subject’s right to request the erasure of their personal data shall be exercised as follows:
    • If the Data Subject, having examined the processing of their personal data, establishes that their personal data are being processed unlawfully or unfairly and they or their authorised representative contact the Data Controller, the Data Controller shall immediately, and at the latest within five (5) working days, verify the lawfulness and fairness of the processing of the Data Subject’s personal data free of charge, and shall immediately erase the unlawfully and unfairly stored personal data or suspend the processing of such personal data, except for storage. Such personal data shall be kept until it is destroyed (at the request of the Data Subject or at the end of the retention period). Any further processing operations on such data may only be undertaken in the following cases:
      • For the purpose of proving the circumstances that led to the suspension of the processing;
      • Where the Data Subject, directly or through a representative, consents to further processing of their personal data;
      • Where necessary to protect the rights or legitimate interests of third parties.

22. The Data Controller shall notify the Data Subject or their authorised person immediately, and no later than within 5 (five) working days, of the erasure or destruction of the personal data of the Data Subject or the suspension of the processing of the personal data at their request.
23. The Data Controller shall have the right to refuse to exercise the Data Subject’s rights on the grounds stated in Article 23(2) of the LPDP.
24. At the request of law enforcement authorities and other authorities to which the Company undertakes to provide personal data in accordance with the procedure established by law, the recorded video (or a copy thereof) may be released without the consent of the persons recorded in the video.
25. In order to protect the personal data and interests of the Company’s customers, third parties shall be allowed to take photographs, video or audio recordings within the premises and territory of all service stations only if they request and receive prior permission from the Company’s management, stating the reason for the request and the legal grounds for the filming, photographing and/or audio recording.
26. The decision to allow photography, videography or audio recording on the premises and in the territory shall be taken by the Director of the Company or the responsible person authorised by the Director.

VII. FINAL PROVISIONS

27. These Rules are available on the Company’s website youston.lt and the information boards at the premises subject to video surveillance.
28. All employees of the Company shall be informed of the Rules and required to sign them, thereby agreeing to comply with them and with other legal acts governing the processing of personal data.
29. The Company’s employees in breach of the requirements of these Rules shall be liable in accordance with the procedures established by law.

  _________________________