I. Online Booking Process

Steps of booking through the online booking system:
1. The Client may choose from the Packages and standard accommodation offered as stated in the booking table.
2. On familiarisation with the Package and its price, the Client selects the time of stay for the selected room as well as additional terms or a Package.
3. On selection of an offer, the Client proceeds to a form, which needs to be completed by specifying the Client’s personal data and optional comments on the booking.
4. On completion of the form the Client makes an advance payment by one of the following methods:
* Credit card (Visa, Mastercard, Eurocard);
* Electronic bank transfer (UAB Paysera LT).
4a. Having selected one of the first two options the Client is directed to a page where payment can be made by means of UAB Paysera LT payment system. Authorisation starts upon connection to UAB Paysera LT through an encrypted 128 bit protocol. After UAB Paysera LT accepts the payment, the Client receives a confirmation of payment and booking by an automatic email message. The email message will specify the Client’s data, name of the hotel, total price of the accommodation, advance payment made and the remaining amount payable. The Client will pay the remaining amount upon arrival to the hotel. The email message confirming the booking has to be presented at the hotel as a proof of the advance payment and of the remaining amount payable.
4b. Having selected the third option (payment by bank transfer or later payment), the Client will receive a confirmation of initial booking, which will be finally confirmed upon making the advance payment by an ordinary bank transfer or online. The booking has the status of an initial booking 48 hours after its making and may be cancelled if no advance payment is received. On receipt of the advance payment, an email message confirming the booking is sent to the Client. The Client has to present the confirmation email to the hotel manager for final settlement.
4c. Client, who uses an account in the BookingRobot system has the ability to link his credit card (s) to the account. In this case, each time you purchase a hotel service, a monetary amount will be debited from the customer's credit account automatically, once, at the time of purchase. No additional payments are required. A card link can be canceled at any time in account settings, by pressing "Delete" button. The data security of the client’s credit cards is provided by UAB Paysera LT, accredited by the Lithuanian Bank.
5. The Client understands that, in case of a failure/programming error in the online booking system, the published price for the services is unreasonably low/high considering the content of the services; the hotel is entitled to notify the error to the Client within 10 days from the booking confirmation and request payment of the full price. Should the Client refuse to pay the full price, the hotel may cancel the contract/refuse to provide the services. In such a case, the hotel will not indemnify the Client for any losses.

Ia. Booking at Request
In cases where there are no rooms available online, the Client may be offered a room at the Client’s request. Upon completing the form, the Client receives an email confirmation of the time of stay (or information that no rooms are available) with the instructions for the making of the advance payment. The Client may make an advance payment by credit card or by an electronic or ordinary bank transfer. The booking will be confirmed upon receipt of the advance payment. Upon making the advance payment the Client will receive an email confirmation of the booking, which the Client has to present upon arrival to the hotel for final settlement.

II. Payment and Cancellation of Booking

1. The Client makes the advance payment by one of the three methods used by the system and pays the remaining amount upon arrival to the hotel.
2. There are no booking transaction costs for the Client.
3. Cancellation fee equal to 6 % of the advance payment is applied for the cancellation of the reservation notified no later than 48 hours prior to the noon on the expected date of arrival.
4. Should the Client cancel the booking less than 3 days prior to the arrival time, the advance payment will not be refunded. In case of such cancellation, the Client will lose the advance payment.
5. Should the Client change the booking details after making an online booking at a discount price of the Package offered by the hotel, the hotel is entitled to recalculate the full price of the order at the current prices.

III. Final Provisions

1. The Client is obliged to provide correct details in the booking form. The hotel is not liable for the wrongly chosen check-in or check-out dates or any other details wrongly specified by the Client.
2. Responsibility for the correct servicing of the payment for the online booking lies with UAB Paysera LT electronic payment system.
3 . The hotel and the company servicing online payments are not liable for unavailability of the system and other faults occurring for reasons beyond their control.

IV. Personal Data

By booking a Package at the hotel, the Client agrees to the recording of his/her personal data in a service database. The data will be used for the finalisation of the booking procedure and for marketing purposes under the agreement on personal data protection dated 28/09/1997.

V. Confirmation of Acceptance of Terms and Conditions

By ticking ‘Accept Terms and Conditions’, the Client confirms that he/she understands and accepts the terms of conditions of the booking. The booking is not valid without such confirmation.

Gift coupons reservation rules:

1. The Present coupon(s) confirms the right of the holder of the Present coupon(s) to use servises specified in the amount of coupon(s).
2. The holders of the Present coupon(s) can enjoy the services provided belonging only to Grand SPA Lietuva.
3. If the desired purchase amount exceeds the value of the Present coupon(s), actual difference can be paid in cash.
4. The Present coupon shall not be exchanged to cash.
5. The Present coupon(s) is valid during 6 months period from its purchase date.
6. If the Present coupon was not used until the end of its validity period, it will be regarded as null and void.
7. If the holder of the Present coupon acquires services for the amount lower that the amount specified in the Present coupon(s), remaining amount is not returned to the holder of the Present coupon.
8. The holder of the Present coupon having paid by the Present coupon(s), shall not be given the VAT invoice.
9. The gift voucher can be extended for one month, the extension cost 10.00 EUR, it can be extended only 2 times.

• By clicking on the "AGREE" button, you confirm that you are familiar with and agree to the following:

1. with the internal regulations of the hotel Grand SPA Lietuva UAB
2. with the procedure for the processing of personal data at Grand SPA Lietuva UAB. You understand that your personal data are required for the purposes of a residential rental and related service contract to be concluded and fulfilled, a SPA services agreement to be concluded and fulfilled as well as therapeutic and dental services to be provided
3. with the processing of health data by Grand SPA Lietuva UAB and you understand that Grand SPA Lietuva UAB needs to know your certain health data, which are necessary in order to select an appropriate treatment and products therefor and to evaluate potential complications and side effects. You have been informed that the above data will only become known to the SPA therapist who will render the services to you and that the health data will neither be recorded anywhere, nor transferred to anybody
4. by refusing to receive the newsletter in the previous step of your online registration, you confirm that you do not consent to the use of your personal data for direct marketing purposes.

• Online self-check-in is possible only with your consent. In case disagree, please check-in at the hotel.
• Internal regulations of hoteland Personal Data Processing Procedures are listed below. 

INTERNAL REGULATIONS OF HOTELS GRAND SPA LIETUVA

1. Check-in from 3 p.m, check-out until 12 p.m.
2. A late check-out fee of 25, 00 EUR per room is applied for the extended stay until 4 p.m. After 4 p.m. a fee equivalent to a daily room rate is applied.
3. Visitors are responsible for their safety when visiting the water park and gym.
4. At check – in, please show your personal document.
5. Please leave your key – card at the reception, at check – out. If you have lost it, the amount of 6.50 EUR is included in to your bill.
6. If you stay in the hotel on half board basis, please choose lunch or dinner option on the day of the arrival. If you wish to make any changes to your meal plan, please inform the front desk staff no later than the evening before your meal. If packed lunch is required instead of breakfast, lunch or dinner, please pre-order it at the restaurant the day before till 6 p.m..
7. After using the mini bar, please fill-up a mini bar form specifying snacks and/or beverages consumed and pay for them at check-out.
8. Smoking inside the buildings of Grand SPA Lietuva is forbidden. There is 100,00 EUR violation fee for the guests who do not comply.
9. For Your safety, please do not allow people who are not registered in our hotels to stay in your room.
10. Please note, the hotel guests have to pay for their visitors staying overnight.
11. Changing the room outside the fault of the hotel is charged 12,00 Eur.
12. Please store all valuables in the safe deposit boxes. They are available in the rooms of the hotels Druskininkai and Dzūkija, and at the hotel Lietuva reception.
13. There is no money refund for unused packages or services.
14. Iron and ironing board can be borrowed free of charge on a temporary basis.
15. Thank you for protecting inventory of the hotels. The guests are responsible for any loss or damage to the hotels property caused by themselves, their guests or any person for whom they are responsible (the damage is determined by a hotel’s administration).
16. We kindly ask you to inform a hotel administrator about any technical and equipment breakdown.
17. To ensure your safety, there are security cameras equipped in the hotel premises.
18. Housekeeping service is performed from 9 a.m to 5 p.m when the guest is not in the room.
19. If you want your laundry to be washed the same day, please inform a hotel administrator till 9 a.m. The service is not provided on weekends.
20. Please respect the other guests’ right to rest and keep silence in the hotel from 11 p.m to 6 a.m. Failure to comply with this rule leads to a verbal warning, second warning carries a fine of 100 Eur, third and final warning carries additional fine of 100 Eur and police involvement.
21. If you are disturbed, please inform the personnel on duty.
22. Guests who pose a threat to themselves and others who are intoxicated to psychotropic substances or alcohol can be evicted from “Grand SPA Lietuva” complex.
23. It is strictly forbidden to drink alcohol at the lobby of a hotel.
24. Pets are welcome in the Hotel “Druskininkai” and hotel “Dzūkija”. Pet fee of 17,00 EUR per night is applied in the hotel “Druskininkai” and 20 EUR in the hotel “Dzūkija”. Pet owners are fully responsible for their pets. Pets must not be left unattended in the hotel; they must not make noise and disturb other guests. For more information, contact the reception staff.
25. Payments accepted in cash EUR, or by credit cards Visa, Maestro, MasterCard and Eurocard.
26. The guests of the hotel must comply with fire safety regulations.
27. Person who reserves package at the hotel agrees his personal data will access database. These data will be used for the final execution of reservation procedure. Personal data are processed in accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania No. 11, 1996-06. I-1374. The rights of the data subject are enforced in accordance with the procedure set out in Articles 23-27 of the ADPTA. The data subject is given the opportunity to refuse at any time to process his personal data for marketing purposes by receiving a newsletter and clicking on the refusal link.
28. Any disputes are resolved through negotiation between the parties. If the dispute is not resolved, it will be be governed by, and construed in accordance with, the laws of Lithuania.

CUSTOMER PERSONAL DATA PROCESSING PROCEDURE
NOTIFICATION OF THE PROCESSING OF PERSONAL DATA

Dear customers,

Pursuant to the General Data Protection Regulation, please be informed of the processing of your data.

Depending on the nature of services that you use, Grand SPA Lietuva UAB processes the following data of yours:

1. Your data necessary for the residential rental and related service contract to be concluded and fulfilled (e.g. forename, surname, date of birth, telephone number, special requests, etc.). The legal basis for such processing of the above data lies in a residential rental and related service contract to be concluded and fulfilled as well as room reservations and service bookings at your request. These data are necessary in order for us to be able to render our services to you. Therefore, unless you provide the above data, we will be unable to render residential rental and related services. The above data shall be retained by the company for a period of 3 years.
2. For the purpose of ensuring the security of the company, the employees, the customers, and their property, the Company’s territory and rooms marked with individual information messages are CCTV monitored. The legal basis for CCTV monitoring lies in a legitimate interest of the company to ensure the security of the company, the employees, the customers, and their property. The above data shall be retained by the company for a period of 90 days.
3. Your data necessary for a SPA service agreement to be concluded and fulfilled (e.g. forename, surname, health data, booked services, etc.). The legal basis for such processing of the above data lies in a SPA service contract to be concluded and fulfilled, whereas the legal basis for the processing of health data shall be your consent. The above data are necessary in order for us to be able to render high-quality SPA services to you. Therefore, unless we receive such data, we will be unable to render SPA services. Any such consents shall be retained for 1 year. Health data shall not be retained.
4. Your data necessary for the provision of therapeutic services (e.g. forename, surname, and health data). The legal basis for such processing of the above data lies in an agreement for health care and therapeutic services, concluded with you, to be fulfilled. The above data are necessary in order for us to be able to render health care and therapeutic services to you. Therefore, unless we receive such data, we will be unable to render the above services. The afore-mentioned data shall be retained for 15 years.
5. Your data necessary for the provision of dental services (e.g. forename, surname, and health data). The legal basis for such processing of the above data lies in an agreement for dental services, concluded with your, to be fulfilled. The above data are necessary in order for us to be able to render our services to you. Therefore, unless we receive such data, we will be unable to render the above services. The afore-mentioned data shall be retained for 15 years.
6. Your data (e.g. forename, surname, and email) processed for direct marketing purposes (sending messages, news, information, and offers). Such data are processed for the above purposes only with your consent. Your consent to have personal data processed for direct marketing purposes shall be effective for 3 years or until it is withdrawn. Afterwards, the consent shall be retained for 3 years further.
7. Data controller. Controller of the afore-mentioned data: Grand SPA Lietuva UAB, V.Kudirkos g. 45, Druskininkai;
8. Contact details of the Data Protection Officer: dap@achemosgrupe.lt; tel.  +370 (693) 79272
9. Recipients of personal data.  Your personal data may be transferred to:
• Data processors, engaged by the company, that undertake certain works and provide services (intermediaries that process data for the purposes of having contracts with the customers concluded and managed; IT companies that process data to ensure the development and improvement of and support to the information systems; companies that ensure the forwarding of messages to customers, render security and other services, including legal, financial, tax, business management, HR management, and accounting services);
• a court, law enforcement agencies or public authorities insofar as provided by the requirements of the legislation as well as for the purpose of seeking remedies by the company in relation to its infringed rights (e.g. in order to have any damage compensated);
• in case of private health insurance, the insurance companies;
• in other cases, only with your consent or at your request.
10. Your rights. Please be advised that you have the following rights: the right to request access to your personal data and to have them rectified or erased, the right to restrict the processing of data, the right to object to the processing of personal data as well as the right to the portability of personal data. You may exercise these rights in accordance with the procedure established in the legislation.
    Any requests exercising your rights must be submitted to the company in writing (including the electronic format) so that it would be possible to verify the identities of the applicant and the data subject. The data subject’s identity shall be verified according to their identity document or via electronic means which allow appropriate identification of the person. If the data subject transmits their request by post or via a courier, the request must be accompanied by a copy of the data subject’s identity document certified in accordance with the procedure established in the legislation. If the information about a person is requested by their representative, they must provide a document of representation along with the data subject’s and the representative’s identity documents, unless there are other reasonable means to identify the representative and the data subject.
    In regards to the data subject’s rights to be exercised, please contact dap@achemosgrupe.lt, tel. +370 (693) 79272, juristas@grandspa.lt, tel. +370 615 52877.
    In addition, you have the right to withdraw your consent to the processing of your data at any time where the data are processed on the basis of your consent. Withdrawal of consent does not affect the legitimacy of consent-based processing of personal data carried out prior to the withdrawal of consent. You may withdraw your consent at juristas@grandspa.lt.
11. Personal data retention period. Data retention periods have been provided above in this notification when addressing every single purpose for the processing of data. These periods may be extended if personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including an investigation by the State Data Protection Inspectorate, civil, administrative or criminal proceedings, or in other cases stipulated by the laws. In this case, personal data may be retained as long as necessary for the above purposes and shall be destroyed without delay when they are no longer required.
12.  Data sources. If the services had been booked via third parties, some of your personal data necessary for room reservations and service bookings were received from third parties that had booked the service on your behalf (e.g. tourism agencies, international booking systems, etc.). Other data processed by the company have been obtained directly from you.
13. Automated decision-making. Please be informed that your personal data referred to herein will not be used for automated decision-making in your respect, including profiling.
14. Making complaints. Please be advised that you have the right to make a complaint against the acts (omissions) of Grand SPA Lietuva UAB to the State Data Protection Inspectorate and a court of law subject to the procedure established in the legislation, and to appeal against the acts (omissions) of the State Data Protection Inspectorate to a court of law.

CONSENT TO THE PROCESSING OF HEALTH DATA

please be informed that in order for us to render the SPA services that you require in a skilled and high-quality manner we must know some of your health data, which are necessary to select an appropriate treatment and the products therefor and to evaluate potential complications and side effects.

In the light of the above, please kindly provide us with your consent so that we could process, i.e. learn, your health data.

Please be informed that such data will only be known to your SPA therapist that will render services to you. Your health data will neither be recorded anywhere, nor transferred to anyone.

Pursuant to Article 13 of the General Data Protection Regulation, we are providing you with the following information in relation to the processing of your data on the basis of the present consent:

1. Data controller: Grand SPA Lietuva UAB, V.Kudirkos g. 45, LT-66120 Druskininkai, email: info@grandspa.lt.; tel. +370 (693) 79272, juristas@grandspa.lt, tel.  +370 (615) 52877.
2. Contacts of the Data Protection Officer: email: dap@achemosgrupe.lt., tel. +370 612 22646.
3. Purposes of data processing: your health data referred to in the present consent shall be processed for the purpose of having an appropriate SPA service rendered to you.
4. Legal basis for data processing: an agreement for SPA services concluded with yourself to be fulfilled and the present consent. We would like to advise you that unless the SPA therapist receives the necessary information about your health, we will be unable to render high-quality SPA services to you as we will not be able to appropriately assess the risk of the service to your health.
5. Recipients of personal data. Please be informed that your health data will neither be transferred to anybody, nor recorded anywhere.
6. Rights of data subjects. Please be advised that you have the following rights: the right to request access to your personal data and to have them rectified or erased, the right to restrict the processing of data, the right to object to the processing of personal data as well as the right to the portability of personal data. You may exercise these rights in accordance with the procedure established in the legislation. Any requests exercising your rights must be submitted to the company in writing (including the electronic format), and it must be possible to verify the identities of the applicant and the data subject. The data subject’s identity shall be verified according to their identity document or via electronic means which allow appropriate identification of the person. If the data subject transmits their request by post or via a courier, the request must be accompanied by a copy of the data subject’s identity document certified in accordance with the procedure established in the legislation. If the information about a person is requested by their representative, they must provide a document of representation along with the data subject’s and the representative’s identity documents, unless there are other reasonable means to identify the representative and the data subject.
   In regards to the data subjects’ rights to be exercised, please contact us at the contacts provided in paragraphs 1 or 2.
7. Right to withdraw consent.In addition, you have the right to withdraw this consent at any time. Withdrawal of consent does not affect the legitimacy of consent-based processing of personal data carried out prior to the withdrawal of consent. You may withdraw your consent by contacting the Company at the contacts referred to in paragraphs 1 or 2.
8. Personal data retention period. Please note that your health data will not be retained in any form whatsoever. This consent is valid only for the duration of the SPA services to be rendered or until the customer’s departure from the hotel where they are a hotel customer, and it shall be retained for 1 year following the SPA services rendered.
9.  Making complaints. Please be advised that you have the right to make a complaint against the acts (omissions) of Grand SPA Lietuva UAB to the State Data Protection Inspectorate and a court of law subject to the procedure established in the legislation, and to appeal against the acts (omissions) of the State Data Protection Inspectorate to a court of law.

We wish You a pleasant stay! You are always welcome at our hotels!

By order of the general manager of Grand SPA

Lietuva UAB, No. ĮT-69

I. General provisions

1. Grand SPA Lietuva UAB (hereinafter referred to as the Company) seeks to protect the privacy of individuals and respects their rights; therefore, this Privacy Policy clearly and transparently provides the principles applicable for collecting and using information on the Company's website, as well as other information about the Company's provisions and principles in ensuring Personal Data protection. The Company points out that this policy does not apply when individuals are browsing other companies' websites or using third-party services through the Company's network.

2. When processing Personal Data, the Company is guided by the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, the Law on the Legal Protection of Personal Data of the Republic of Lithuania, the Law on Electronic Communications of the Republic of Lithuania and other related legislation. The terms used in the Privacy Policy are understood as defined in the General Data Protection Regulation and the Law on the Legal Protection of Personal Data of the Republic of Lithuania.

3. This Privacy Policy applies to the assurance of the protection of Personal Data of individuals – future employees and customers, including potential, former and existing customers (hereafter referred to as Individuals or Data Subjects).

4. Individuals are requested to carefully read this Privacy Policy in order to understand the Company's attitude and practice regarding the Personal Data of Individuals and how the Personal Data will be processed and stored.

5. Data controller – the Company, head office address V. Kudirkos g. 45, LT-66120 Druskininkai, e-mail address: info@grandspa.lt. The Company has appointed a Data Protection Officer with the following contact details: e- mail address: dap@achemosgrupe.lt, tel. 8 612 22646. The customer and/or the employee can contact on the issues of Personal Data protection: juristas@grandspa.lt, tel. 8615 52877 II. The purposes of Personal Data processing, the Personal Data collected, the term of their storage and the basis for processing

6. Purposes of data processing: 6.1. Direct marketing (sending newsletters and offers).

6.1.1. The Company uses and processes Personal Data for direct marketing purposes only if the Individuals have given their corresponding consent. You can confirm your consent for using your Personal Data for direct marketing purposes by signing of/providing your details on the website.

6.1.2. The following Personal Data is processed for the purpose of direct marketing:

6.1.2.1. full name,

6.1.2.2. e-mail address.

6.1.3. The specified Personal Data are collected and processed on the basis of consent. Persons must submit an e-mail address in order to receive newsletters/offers.

6.1.4. The term of storage of Personal Data processed for direct marketing purposes is 3 years. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pretrial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary. 2

6.1.5. The data subject has the right not to give or to withdraw his consent to the processing of his Personal Data for direct marketing purposes at any time, including profiling, insofar as it relates to such direct marketing, without giving reasons for non-consent:

6.1.5.1. By sending an e-mail to marketing@grandspa.lt or by calling +370 686 58 450;

6.1.5.2. By clicking on the link “Unsubscribe” at the end of the newsletter.

6.1.6. Withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal.

6.1.7. Persons under the age of 14 cannot provide any Personal Data for marketing activities through the Company's website. If you are a person below the age of 14, you must obtain the consent of your parents or other legal guardians before submitting personal information for marketing activities.

6.2. Loyalty programme

6.2.1. The customer who has filled out the Customer profile questionnaire agrees to participate in the hotel loyalty program and has no objections to his Personal Data to be used for direct marketing purposes. The Customer agrees to receive information on the privileges offered to the Loyalty Programme participants, special promotions and news.

6.2.2. When the customer has given a consent to process the data solely for the purpose of executing the Loyalty Programme, the customer's profile and the Personal Data are stored in the administration system until the person is a member of the Loyalty Programme and 3 years after he no longer participates in the Loyalty Programme (for example, withdraws his consent to process the data for the purpose of the Loyalty Programme or expressed the intention not to be participant of the Loyalty Programme).

6.2.3. The following Personal Data is processed for the purpose of the Loyalty Programme:

1. Full name;

2. Date of birth;

3. Telephone number;

4. Country;

5. Gender;

6. Language in which the customer would like to receive a newsletter;

7. E-mail address;

8. Loyalty card number;

9. Personal purchase history;

10. Economic value of the purchase;

11. Signature

6.1.5. The data subject has the right to refuse or withdraw his consent to the processing of his Personal Data at any time for the purposes of the Loyalty Programme without giving reasons for such objection:

6.1.5.1. By sending an e-mail to vip@grandspa.lt or by calling +370 612 94818.

6.1.6. Withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal.

6.3. For the purpose of the processing of data relating to accommodation and health/SPA services in order to conclude and execute contracts.

6.3.1. For the purpose of contracting and executing the contract, the following Personal Data is processed:

6.3.1.1. Full name;

6.3.1.2. Telephone number;

6.3.1.3. Date of arrival/departure;

6.3.1.4. E-mail address;

6.3.1.5. Is a visitor planning to stay with a child, the number of children and age;

6.3.1.6. Personal preferences (if the person specifies them himself);

6.3.1.7. Room type;

6.3.1.8. Order price;

6.3.1.9. Payment form;

6.3.1.10. Additional requested services (e.g., special dinner, health/SPA procedures);

6.3.1.11. Catering: lunch, breakfast, dinner;

6.3.1.12. Address;

6.3.1.13. Country;

6.3.1.14. Booking number; 3

6.3.1.15. Preferred language of communication;

6.3.1.16. Other data required for ordering services.

6.3.2. Personal Data related with the conclusion and implementation of contract will be processed for 10 years. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary.

6.4. The purpose of provision of responses and information to Individuals.

6.4.1. In the event that the Individuals submit a request/complaint through the Company's website, by email or by telephone consultation, in order to properly answer the request, the Company collects and manages the following data: name, surname, phone number, e-mail, room number, services ordered. If the Individuals do not provide sufficient details to identify the Individual or the services provided to him, the Individual will not be able to receive appropriate and comprehensive advice on the relevant matter

6.4.2. The following Personal Data are processed: 1) on the basis of the consent, expressed by Individuals in consenting actions; 2) The processing of data is necessary in order to fulfil the legal obligation imposed on the Data Controller; 3) The processing of data is necessary for the legitimate interests of the Data Controller, namely, to examine and process requests, claims, to improve customer service quality, and serve customers.

6.4.3. Data storage term: 12 months. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary.

6.4.4. The Company uses your Personal Data only in order to properly and objectively investigate the queries of Individuals, provide the Individuals the necessary information, answer their questions, and resolve requests or provide consultations. The Company can also analyze the data in the query in order to improve the quality of our activities and the services provided to you, taking into account your opinions and suggestions.

6.4.5. The Company does not disclose the contents of personal correspondence with Individuals. However, if the Individual’s request or claim is received on public comments of of websites or social networking, the Company reserves the right to provide a public answer/comment, in the same form as they request was received.

6.4.6. Upon the expiration of your data processing and retention period set forth in this Policy, the Company will destroy your data or depersonalise you reliably and irrevocably as soon as possible, within a reasonable and justifiable timeframe for such action. The Company will not be able to meet this requirement if the request is submitted through the websites/social networking accounts not administered by the Company.

6.5. The purpose of the selection of personnel (candidates for vacancies in the Company).

6.5.1. For the personnel selection purposes the Data Controller manages the Personal Data submitted voluntarily by the Candidate, to the extent that the Personal Data were submitted through the Company's website, sent to the Company's e-mail or brought to the Human Resources Department:

6.5.1.1. name;

6.5.1.2. e-mail;

6.5.1.3. telephone;

6.5.1.4. other data provided by the data subject.

6.5.2. Candidates' data are processed on the basis of the consent, expressed by submitting their data and seeking to take action by the consenting actions of a Candidate, by submitting data through the Company's website, sending them to the Company's e-mail or bringing to the Human Resources Department.

6.5.3. Upon expiration of the period of selection for a specific position, the Company deletes the CV and other data of the Candidates, unless the Company has obtained the consent of the Candidate to process his/her personal data for longer so that the Company can offer a job position.

7. The Company's uses cookies on its website usually in order to facilitate the use of the website and to provide more specific and adequate information to Individuals. Using cookies, you are identified as a visitor and the content is tailored to your needs. Using cookies makes it easier for us to understand the needs of 4 Individuals. The traffic statistics we receive are helpful in determining the effectiveness and improvement of our website. More information on cookies can be found here.

8. The Data Controller shall, in accordance with the specific purposes for the processing of Personal Data, protect Personal Data in accordance with the above terms.

9. Upon expiration of the Personal Data processing terms specified in this Privacy Policy, to Personal Data is deleted, except for the exceptions indicated in the Privacy Policy.

10. The Company processes Personal Data responsibly, legally, fairly and transparently. In determining the Personal Data processing tools, as well as during the data processing, the Company implements appropriate technical and organizational measures of data protection to protect Personal Data being processed from accidental or unlawful destruction, damage, alteration, loss, disclosure, as well as any other unlawful processing.

11. In the event that Individuals choose passwords that enable them to use certain features of the Website, Individuals are solely responsible for the confidentiality of passwords. The Company asks Individuals not to disclose or share passwords with third parties.

12. Individuals must take active measures to ensure the confidentiality of their Personal Data and should make maximum efforts to protect the password for accessing the website from disclosure to third parties and not to disclose it directly (indirectly) to third parties and to ensure that no third parties could use their data through the website and/or the services provided by the Company and/or for other purposes. Individuals shall be liable for any acts of third persons if they were done using the Personal Data and all obligations and responsibilities arising out of or related to such third party actions shall be fully binding to the Individuals.

13. If the Company has doubts about the correctness of the Personal Data provided by the Individuals, the Company has the right to suspend the processing of such Personal Data, to verify and correct these data.

14. Notwithstanding the fact that the Company makes all reasonable efforts to protect the Personal Data of Individuals, the Company notes that the data transmitted by electronic means of communication are transmitted through the networks operated by the providers of electronic communications services and therefore the Company cannot guarantee and is not responsible for data security and security by transmitting the data in this manner. Any data transfer procedures are performed solely at the risk of Individuals. From the moment of receipt of data, the Company applies strict Personal Data protection procedures and technical and organizational measures for the protection from unauthorized access to the Personal Data. III. Provision of data to third parties

15. The Personal Data may be handed over for processing to data processors who help to and enforce and manage the provision of the Services. These persons may include database software vendors, database administrators, data centres, hosting and cloud service providers, direct marketing service providers, market research or business intelligence service providers, accounting service providers, auditors, legal and financial advisers, etc., partners used for the purpose of fulfilling a specific order (courier service, payment service provider, etc.).

16. Personal Data may be transferred to the court, law enforcement agencies or state institutions to the extent that such provision is provided by legal requirements (e.g.: bailiffs, courts, etc.).

17. Personal Data may also be transferred to other persons with the consent of the Data Subject, if such consent is obtained on a case-by-case basis.

18. In each case, we provide to the data processor only as much data as is absolutely necessary to complete a specific order or provide a specific service.

19. Data processors recruited by the Company can process your personal data only according to our instructions and cannot use them for other purposes or transfer to others without the Company's consent. In addition, they must ensure the security of Personal Data in accordance with applicable law and written agreements with us.

20. If the Company uses the website analysis service (such as Google Analytics) to determine how you use the information provided on the Website www.grandspa.lt, the Company may exchange your depersonalized data with third parties who rely on this information to evaluate how the Website is used, to prepare reports the website operators about the Website functioning, and to provide other services related to the use of the website and the mobile application.

21. The Data Controller does not provide for the possibility of sending Personal Data to a third party (a country that is not a Member State of the European Union or the European Economic Area) or to an international organization, except as provided for in this Privacy Policy. 5

22. If the Data Controller will transfer Personal Data to companies or organizations in third countries, the Data Controller will ensure the procedures for ensuring the level of processing and protection of Personal Data set forth in the regulatory enactments. IV. Rights of the Data Subject

23. The data subject whose data is processed in the activities of the Data Controller has the following rights:

23.1. To know (be informed) about his data processing (right to know);

23.2. Having access to your data and the manner in which they are processed (right to access);

23.3. Request to correct or supplement the incomplete personal data (right to rectify), taking into account the purposes for the processing of personal data;

23.4. Destroy your data or suspend the processing of your data (except for storage) (right to destroy and right to “be forgotten”);

23.5. Have the right to require the data controller to restrict the processing of personal data for one of the legitimate reasons (right to limit).

23.6. Have the right to data transfer (right to transfer);

23.7. To oppose to the processing of Personal data when this data is processed or intended to be processed for direct marketing purposes, including profiling, insofar as it relates to such direct marketing;

23.8. You have the right to withdraw the consent to process data at any time, when the data is processed on the basis of consent. The withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal. You may withdraw the consent as described in section 6.1.5 of the Privacy Policy.

23.9. Submit a complaint to the State Data Protection Inspectorate of the Republic of Lithuania.

23.10. Applications for the implementation of rights be submitted to the Company in writing (including the electronic format), it must also be possible to identify the person who submitted the request and the data subject. The data subject is identified from the identity document or by electronic means of communication that allows the person to be properly identified. If the request is sent by the data subject by post or by the courier, a copy of the document confirming the identity of the data subject, approved in accordance with the statutory procedure, must be attached to the application. When a person's information is being sought by his representative, he must provide a document demonstrating his right to represent and a document confirming the identity of the data subject and the representative, unless it is possible to identify the representative and the data subject in other reasonable manner. Information of third parties on the Company's website

24. The Company's website may contain links to other people's, company's or organization's websites. Please note that the Company is not responsible for the content of such websites or the privacy principles they use. So if you click on a link from the Company's website to access other websites, you should take a look at their privacy policy separately. V. Miscellaneous

25. The Data Controller has the right to make additions to the Privacy Policy by placing them on the Data Controller's website. 26. This Privacy Policy and any subsequent changes thereto apply from the day they are posted on the Website.

27. Individuals' questions, comments, and preferences related to the Privacy Policy are submitted to the following email address: juristas@grandspa.lt, tel. +370 615 52877 .

28. Company’s contact details: Address: V. Kudirkos g. 45, LT-66120 Druskininkai, tel. +370 (693) 79272, e-mail: info@grandspa.lt