PPROVED by:
By order of the general manager of Grand SPA
Lietuva UAB, No. ĮT-69
I. General provisions
1. Grand SPA Lietuva UAB (hereinafter referred to as the Company) seeks to protect the privacy of individuals and respects their rights; therefore, this Privacy Policy clearly and transparently provides the principles applicable for collecting and using information on the Company's website, as well as other information about the Company's provisions and principles in ensuring Personal Data protection. The Company points out that this policy does not apply when individuals are browsing other companies' websites or using third-party services through the Company's network.
2. When processing Personal Data, the Company is guided by the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, the Law on the Legal Protection of Personal Data of the Republic of Lithuania, the Law on Electronic Communications of the Republic of Lithuania and other related legislation. The terms used in the Privacy Policy are understood as defined in the General Data Protection Regulation and the Law on the Legal Protection of Personal Data of the Republic of Lithuania.
3. This Privacy Policy applies to the assurance of the protection of Personal Data of individuals – future employees and customers, including potential, former and existing customers (hereafter referred to as Individuals or Data Subjects).
4. Individuals are requested to carefully read this Privacy Policy in order to understand the Company's attitude and practice regarding the Personal Data of Individuals and how the Personal Data will be processed and stored.
5. Data controller – the Company, head office address V. Kudirkos g. 45, LT-66120 Druskininkai, e-mail address: info@grandspa.lt. The Company has appointed a Data Protection Officer with the following contact details: e- mail address: dap@achemosgrupe.lt, tel. 8 612 22646. The customer and/or the employee can contact on the issues of Personal Data protection: juristas@grandspa.lt, tel. 8615 52877 II. The purposes of Personal Data processing, the Personal Data collected, the term of their storage and the basis for processing
6. Purposes of data processing: 6.1. Direct marketing (sending newsletters and offers).
6.1.1. The Company uses and processes Personal Data for direct marketing purposes only if the Individuals have given their corresponding consent. You can confirm your consent for using your Personal Data for direct marketing purposes by signing of/providing your details on the website.
6.1.2. The following Personal Data is processed for the purpose of direct marketing:
6.1.2.1. full name,
6.1.2.2. e-mail address.
6.1.3. The specified Personal Data are collected and processed on the basis of consent. Persons must submit an e-mail address in order to receive newsletters/offers.
6.1.4. The term of storage of Personal Data processed for direct marketing purposes is 3 years. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pretrial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary. 2
6.1.5. The data subject has the right not to give or to withdraw his consent to the processing of his Personal Data for direct marketing purposes at any time, including profiling, insofar as it relates to such direct marketing, without giving reasons for non-consent:
6.1.5.1. By sending an e-mail to marketing@grandspa.lt or by calling +370 686 58 450;
6.1.5.2. By clicking on the link “Unsubscribe” at the end of the newsletter.
6.1.6. Withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal.
6.1.7. Persons under the age of 14 cannot provide any Personal Data for marketing activities through the Company's website. If you are a person below the age of 14, you must obtain the consent of your parents or other legal guardians before submitting personal information for marketing activities.
6.2. Loyalty programme
6.2.1. The customer who has filled out the Customer profile questionnaire agrees to participate in the hotel loyalty program and has no objections to his Personal Data to be used for direct marketing purposes. The Customer agrees to receive information on the privileges offered to the Loyalty Programme participants, special promotions and news.
6.2.2. When the customer has given a consent to process the data solely for the purpose of executing the Loyalty Programme, the customer's profile and the Personal Data are stored in the administration system until the person is a member of the Loyalty Programme and 3 years after he no longer participates in the Loyalty Programme (for example, withdraws his consent to process the data for the purpose of the Loyalty Programme or expressed the intention not to be participant of the Loyalty Programme).
6.2.3. The following Personal Data is processed for the purpose of the Loyalty Programme:
1. Full name;
2. Date of birth;
3. Telephone number;
4. Country;
5. Gender;
6. Language in which the customer would like to receive a newsletter;
7. E-mail address;
8. Loyalty card number;
9. Personal purchase history;
10. Economic value of the purchase;
11. Signature
6.1.5. The data subject has the right to refuse or withdraw his consent to the processing of his Personal Data at any time for the purposes of the Loyalty Programme without giving reasons for such objection:
6.1.5.1. By sending an e-mail to vip@grandspa.lt or by calling +370 612 94818.
6.1.6. Withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal.
6.3. For the purpose of the processing of data relating to accommodation and health/SPA services in order to conclude and execute contracts.
6.3.1. For the purpose of contracting and executing the contract, the following Personal Data is processed:
6.3.1.1. Full name;
6.3.1.2. Telephone number;
6.3.1.3. Date of arrival/departure;
6.3.1.4. E-mail address;
6.3.1.5. Is a visitor planning to stay with a child, the number of children and age;
6.3.1.6. Personal preferences (if the person specifies them himself);
6.3.1.7. Room type;
6.3.1.8. Order price;
6.3.1.9. Payment form;
6.3.1.10. Additional requested services (e.g., special dinner, health/SPA procedures);
6.3.1.11. Catering: lunch, breakfast, dinner;
6.3.1.12. Address;
6.3.1.13. Country;
6.3.1.14. Booking number; 3
6.3.1.15. Preferred language of communication;
6.3.1.16. Other data required for ordering services.
6.3.2. Personal Data related with the conclusion and implementation of contract will be processed for 10 years. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary.
6.4. The purpose of provision of responses and information to Individuals.
6.4.1. In the event that the Individuals submit a request/complaint through the Company's website, by email or by telephone consultation, in order to properly answer the request, the Company collects and manages the following data: name, surname, phone number, e-mail, room number, services ordered. If the Individuals do not provide sufficient details to identify the Individual or the services provided to him, the Individual will not be able to receive appropriate and comprehensive advice on the relevant matter
6.4.2. The following Personal Data are processed: 1) on the basis of the consent, expressed by Individuals in consenting actions; 2) The processing of data is necessary in order to fulfil the legal obligation imposed on the Data Controller; 3) The processing of data is necessary for the legitimate interests of the Data Controller, namely, to examine and process requests, claims, to improve customer service quality, and serve customers.
6.4.3. Data storage term: 12 months. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary.
6.4.4. The Company uses your Personal Data only in order to properly and objectively investigate the queries of Individuals, provide the Individuals the necessary information, answer their questions, and resolve requests or provide consultations. The Company can also analyze the data in the query in order to improve the quality of our activities and the services provided to you, taking into account your opinions and suggestions.
6.4.5. The Company does not disclose the contents of personal correspondence with Individuals. However, if the Individual’s request or claim is received on public comments of of websites or social networking, the Company reserves the right to provide a public answer/comment, in the same form as they request was received.
6.4.6. Upon the expiration of your data processing and retention period set forth in this Policy, the Company will destroy your data or depersonalise you reliably and irrevocably as soon as possible, within a reasonable and justifiable timeframe for such action. The Company will not be able to meet this requirement if the request is submitted through the websites/social networking accounts not administered by the Company.
6.5. The purpose of the selection of personnel (candidates for vacancies in the Company).
6.5.1. For the personnel selection purposes the Data Controller manages the Personal Data submitted voluntarily by the Candidate, to the extent that the Personal Data were submitted through the Company's website, sent to the Company's e-mail or brought to the Human Resources Department:
6.5.1.1. name;
6.5.1.2. e-mail;
6.5.1.3. telephone;
6.5.1.4. other data provided by the data subject.
6.5.2. Candidates' data are processed on the basis of the consent, expressed by submitting their data and seeking to take action by the consenting actions of a Candidate, by submitting data through the Company's website, sending them to the Company's e-mail or bringing to the Human Resources Department.
6.5.3. Upon expiration of the period of selection for a specific position, the Company deletes the CV and other data of the Candidates, unless the Company has obtained the consent of the Candidate to process his/her personal data for longer so that the Company can offer a job position.
7. The Company's uses cookies on its website usually in order to facilitate the use of the website and to provide more specific and adequate information to Individuals. Using cookies, you are identified as a visitor and the content is tailored to your needs. Using cookies makes it easier for us to understand the needs of 4 Individuals. The traffic statistics we receive are helpful in determining the effectiveness and improvement of our website. More information on cookies can be found here.
8. The Data Controller shall, in accordance with the specific purposes for the processing of Personal Data, protect Personal Data in accordance with the above terms.
9. Upon expiration of the Personal Data processing terms specified in this Privacy Policy, to Personal Data is deleted, except for the exceptions indicated in the Privacy Policy.
10. The Company processes Personal Data responsibly, legally, fairly and transparently. In determining the Personal Data processing tools, as well as during the data processing, the Company implements appropriate technical and organizational measures of data protection to protect Personal Data being processed from accidental or unlawful destruction, damage, alteration, loss, disclosure, as well as any other unlawful processing.
11. In the event that Individuals choose passwords that enable them to use certain features of the Website, Individuals are solely responsible for the confidentiality of passwords. The Company asks Individuals not to disclose or share passwords with third parties.
12. Individuals must take active measures to ensure the confidentiality of their Personal Data and should make maximum efforts to protect the password for accessing the website from disclosure to third parties and not to disclose it directly (indirectly) to third parties and to ensure that no third parties could use their data through the website and/or the services provided by the Company and/or for other purposes. Individuals shall be liable for any acts of third persons if they were done using the Personal Data and all obligations and responsibilities arising out of or related to such third party actions shall be fully binding to the Individuals.
13. If the Company has doubts about the correctness of the Personal Data provided by the Individuals, the Company has the right to suspend the processing of such Personal Data, to verify and correct these data.
14. Notwithstanding the fact that the Company makes all reasonable efforts to protect the Personal Data of Individuals, the Company notes that the data transmitted by electronic means of communication are transmitted through the networks operated by the providers of electronic communications services and therefore the Company cannot guarantee and is not responsible for data security and security by transmitting the data in this manner. Any data transfer procedures are performed solely at the risk of Individuals. From the moment of receipt of data, the Company applies strict Personal Data protection procedures and technical and organizational measures for the protection from unauthorized access to the Personal Data. III. Provision of data to third parties
15. The Personal Data may be handed over for processing to data processors who help to and enforce and manage the provision of the Services. These persons may include database software vendors, database administrators, data centres, hosting and cloud service providers, direct marketing service providers, market research or business intelligence service providers, accounting service providers, auditors, legal and financial advisers, etc., partners used for the purpose of fulfilling a specific order (courier service, payment service provider, etc.).
16. Personal Data may be transferred to the court, law enforcement agencies or state institutions to the extent that such provision is provided by legal requirements (e.g.: bailiffs, courts, etc.).
17. Personal Data may also be transferred to other persons with the consent of the Data Subject, if such consent is obtained on a case-by-case basis.
18. In each case, we provide to the data processor only as much data as is absolutely necessary to complete a specific order or provide a specific service.
19. Data processors recruited by the Company can process your personal data only according to our instructions and cannot use them for other purposes or transfer to others without the Company's consent. In addition, they must ensure the security of Personal Data in accordance with applicable law and written agreements with us.
20. If the Company uses the website analysis service (such as Google Analytics) to determine how you use the information provided on the Website www.grandspa.lt, the Company may exchange your depersonalized data with third parties who rely on this information to evaluate how the Website is used, to prepare reports the website operators about the Website functioning, and to provide other services related to the use of the website and the mobile application.
21. The Data Controller does not provide for the possibility of sending Personal Data to a third party (a country that is not a Member State of the European Union or the European Economic Area) or to an international organization, except as provided for in this Privacy Policy. 5
22. If the Data Controller will transfer Personal Data to companies or organizations in third countries, the Data Controller will ensure the procedures for ensuring the level of processing and protection of Personal Data set forth in the regulatory enactments. IV. Rights of the Data Subject
23. The data subject whose data is processed in the activities of the Data Controller has the following rights:
23.1. To know (be informed) about his data processing (right to know);
23.2. Having access to your data and the manner in which they are processed (right to access);
23.3. Request to correct or supplement the incomplete personal data (right to rectify), taking into account the purposes for the processing of personal data;
23.4. Destroy your data or suspend the processing of your data (except for storage) (right to destroy and right to “be forgotten”);
23.5. Have the right to require the data controller to restrict the processing of personal data for one of the legitimate reasons (right to limit).
23.6. Have the right to data transfer (right to transfer);
23.7. To oppose to the processing of Personal data when this data is processed or intended to be processed for direct marketing purposes, including profiling, insofar as it relates to such direct marketing;
23.8. You have the right to withdraw the consent to process data at any time, when the data is processed on the basis of consent. The withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal. You may withdraw the consent as described in section 6.1.5 of the Privacy Policy.
23.9. Submit a complaint to the State Data Protection Inspectorate of the Republic of Lithuania.
23.10. Applications for the implementation of rights be submitted to the Company in writing (including the electronic format), it must also be possible to identify the person who submitted the request and the data subject. The data subject is identified from the identity document or by electronic means of communication that allows the person to be properly identified. If the request is sent by the data subject by post or by the courier, a copy of the document confirming the identity of the data subject, approved in accordance with the statutory procedure, must be attached to the application. When a person's information is being sought by his representative, he must provide a document demonstrating his right to represent and a document confirming the identity of the data subject and the representative, unless it is possible to identify the representative and the data subject in other reasonable manner. Information of third parties on the Company's website
24. The Company's website may contain links to other people's, company's or organization's websites. Please note that the Company is not responsible for the content of such websites or the privacy principles they use. So if you click on a link from the Company's website to access other websites, you should take a look at their privacy policy separately. V. Miscellaneous
25. The Data Controller has the right to make additions to the Privacy Policy by placing them on the Data Controller's website. 26. This Privacy Policy and any subsequent changes thereto apply from the day they are posted on the Website.
27. Individuals' questions, comments, and preferences related to the Privacy Policy are submitted to the following email address: juristas@grandspa.lt, tel. +370 615 52877 .
28. Company’s contact details: Address: V. Kudirkos g. 45, LT-66120 Druskininkai, tel. +370 (693) 79272, e-mail: info@grandspa.lt