By order of the general manager of Grand SPA
Lietuva UAB, No. ĮT-69
I. General provisions
5. Data controller – the Company, head office address V. Kudirkos g. 45, LT-66120 Druskininkai, e-mail address: firstname.lastname@example.org. The Company has appointed a Data Protection Officer with the following contact details: e- mail address: email@example.com, tel. 8 612 22646. The customer and/or the employee can contact on the issues of Personal Data protection: firstname.lastname@example.org, tel. 8615 52877 II. The purposes of Personal Data processing, the Personal Data collected, the term of their storage and the basis for processing
6. Purposes of data processing: 6.1. Direct marketing (sending newsletters and offers).
6.1.1. The Company uses and processes Personal Data for direct marketing purposes only if the Individuals have given their corresponding consent. You can confirm your consent for using your Personal Data for direct marketing purposes by signing of/providing your details on the website.
6.1.2. The following Personal Data is processed for the purpose of direct marketing:
184.108.40.206. full name,
220.127.116.11. e-mail address.
6.1.3. The specified Personal Data are collected and processed on the basis of consent. Persons must submit an e-mail address in order to receive newsletters/offers.
6.1.4. The term of storage of Personal Data processed for direct marketing purposes is 3 years. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pretrial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary. 2
6.1.5. The data subject has the right not to give or to withdraw his consent to the processing of his Personal Data for direct marketing purposes at any time, including profiling, insofar as it relates to such direct marketing, without giving reasons for non-consent:
18.104.22.168. By sending an e-mail to email@example.com or by calling +370 686 58 450;
22.214.171.124. By clicking on the link “Unsubscribe” at the end of the newsletter.
6.1.6. Withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal.
6.1.7. Persons under the age of 14 cannot provide any Personal Data for marketing activities through the Company's website. If you are a person below the age of 14, you must obtain the consent of your parents or other legal guardians before submitting personal information for marketing activities.
6.2. Loyalty programme
6.2.1. The customer who has filled out the Customer profile questionnaire agrees to participate in the hotel loyalty program and has no objections to his Personal Data to be used for direct marketing purposes. The Customer agrees to receive information on the privileges offered to the Loyalty Programme participants, special promotions and news.
6.2.2. When the customer has given a consent to process the data solely for the purpose of executing the Loyalty Programme, the customer's profile and the Personal Data are stored in the administration system until the person is a member of the Loyalty Programme and 3 years after he no longer participates in the Loyalty Programme (for example, withdraws his consent to process the data for the purpose of the Loyalty Programme or expressed the intention not to be participant of the Loyalty Programme).
6.2.3. The following Personal Data is processed for the purpose of the Loyalty Programme:
1. Full name;
2. Date of birth;
3. Telephone number;
6. Language in which the customer would like to receive a newsletter;
7. E-mail address;
8. Loyalty card number;
9. Personal purchase history;
10. Economic value of the purchase;
6.1.5. The data subject has the right to refuse or withdraw his consent to the processing of his Personal Data at any time for the purposes of the Loyalty Programme without giving reasons for such objection:
126.96.36.199. By sending an e-mail to firstname.lastname@example.org or by calling +370 612 94818.
6.1.6. Withdrawal of consent will not affect the legality of reasonable processing of personal data performed before the withdrawal.
6.3. For the purpose of the processing of data relating to accommodation and health/SPA services in order to conclude and execute contracts.
6.3.1. For the purpose of contracting and executing the contract, the following Personal Data is processed:
188.8.131.52. Full name;
184.108.40.206. Telephone number;
220.127.116.11. Date of arrival/departure;
18.104.22.168. E-mail address;
22.214.171.124. Is a visitor planning to stay with a child, the number of children and age;
126.96.36.199. Personal preferences (if the person specifies them himself);
188.8.131.52. Room type;
184.108.40.206. Order price;
220.127.116.11. Payment form;
18.104.22.168. Additional requested services (e.g., special dinner, health/SPA procedures);
22.214.171.124. Catering: lunch, breakfast, dinner;
126.96.36.199. Booking number; 3
188.8.131.52. Preferred language of communication;
184.108.40.206. Other data required for ordering services.
6.3.2. Personal Data related with the conclusion and implementation of contract will be processed for 10 years. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary.
6.4. The purpose of provision of responses and information to Individuals.
6.4.1. In the event that the Individuals submit a request/complaint through the Company's website, by email or by telephone consultation, in order to properly answer the request, the Company collects and manages the following data: name, surname, phone number, e-mail, room number, services ordered. If the Individuals do not provide sufficient details to identify the Individual or the services provided to him, the Individual will not be able to receive appropriate and comprehensive advice on the relevant matter
6.4.2. The following Personal Data are processed: 1) on the basis of the consent, expressed by Individuals in consenting actions; 2) The processing of data is necessary in order to fulfil the legal obligation imposed on the Data Controller; 3) The processing of data is necessary for the legitimate interests of the Data Controller, namely, to examine and process requests, claims, to improve customer service quality, and serve customers.
6.4.3. Data storage term: 12 months. This term may be extended if the Personal Data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including in the investigation conducted by the State Data Inspection, in civil, administrative or criminal proceedings, or in other cases established by law. In this case, Personal Data may be stored for the duration necessary for the processing purposes of such data and destroyed immediately when it becomes no longer necessary.
6.4.4. The Company uses your Personal Data only in order to properly and objectively investigate the queries of Individuals, provide the Individuals the necessary information, answer their questions, and resolve requests or provide consultations. The Company can also analyze the data in the query in order to improve the quality of our activities and the services provided to you, taking into account your opinions and suggestions.
6.4.5. The Company does not disclose the contents of personal correspondence with Individuals. However, if the Individual’s request or claim is received on public comments of of websites or social networking, the Company reserves the right to provide a public answer/comment, in the same form as they request was received.
6.4.6. Upon the expiration of your data processing and retention period set forth in this Policy, the Company will destroy your data or depersonalise you reliably and irrevocably as soon as possible, within a reasonable and justifiable timeframe for such action. The Company will not be able to meet this requirement if the request is submitted through the websites/social networking accounts not administered by the Company.
6.5. The purpose of the selection of personnel (candidates for vacancies in the Company).
6.5.1. For the personnel selection purposes the Data Controller manages the Personal Data submitted voluntarily by the Candidate, to the extent that the Personal Data were submitted through the Company's website, sent to the Company's e-mail or brought to the Human Resources Department:
220.127.116.11. other data provided by the data subject.
6.5.2. Candidates' data are processed on the basis of the consent, expressed by submitting their data and seeking to take action by the consenting actions of a Candidate, by submitting data through the Company's website, sending them to the Company's e-mail or bringing to the Human Resources Department.
6.5.3. Upon expiration of the period of selection for a specific position, the Company deletes the CV and other data of the Candidates, unless the Company has obtained the consent of the Candidate to process his/her personal data for longer so that the Company can offer a job position.
8. The Data Controller shall, in accordance with the specific purposes for the processing of Personal Data, protect Personal Data in accordance with the above terms.
10. The Company processes Personal Data responsibly, legally, fairly and transparently. In determining the Personal Data processing tools, as well as during the data processing, the Company implements appropriate technical and organizational measures of data protection to protect Personal Data being processed from accidental or unlawful destruction, damage, alteration, loss, disclosure, as well as any other unlawful processing.
11. In the event that Individuals choose passwords that enable them to use certain features of the Website, Individuals are solely responsible for the confidentiality of passwords. The Company asks Individuals not to disclose or share passwords with third parties.
12. Individuals must take active measures to ensure the confidentiality of their Personal Data and should make maximum efforts to protect the password for accessing the website from disclosure to third parties and not to disclose it directly (indirectly) to third parties and to ensure that no third parties could use their data through the website and/or the services provided by the Company and/or for other purposes. Individuals shall be liable for any acts of third persons if they were done using the Personal Data and all obligations and responsibilities arising out of or related to such third party actions shall be fully binding to the Individuals.
13. If the Company has doubts about the correctness of the Personal Data provided by the Individuals, the Company has the right to suspend the processing of such Personal Data, to verify and correct these data.
14. Notwithstanding the fact that the Company makes all reasonable efforts to protect the Personal Data of Individuals, the Company notes that the data transmitted by electronic means of communication are transmitted through the networks operated by the providers of electronic communications services and therefore the Company cannot guarantee and is not responsible for data security and security by transmitting the data in this manner. Any data transfer procedures are performed solely at the risk of Individuals. From the moment of receipt of data, the Company applies strict Personal Data protection procedures and technical and organizational measures for the protection from unauthorized access to the Personal Data. III. Provision of data to third parties
15. The Personal Data may be handed over for processing to data processors who help to and enforce and manage the provision of the Services. These persons may include database software vendors, database administrators, data centres, hosting and cloud service providers, direct marketing service providers, market research or business intelligence service providers, accounting service providers, auditors, legal and financial advisers, etc., partners used for the purpose of fulfilling a specific order (courier service, payment service provider, etc.).
16. Personal Data may be transferred to the court, law enforcement agencies or state institutions to the extent that such provision is provided by legal requirements (e.g.: bailiffs, courts, etc.).
17. Personal Data may also be transferred to other persons with the consent of the Data Subject, if such consent is obtained on a case-by-case basis.
18. In each case, we provide to the data processor only as much data as is absolutely necessary to complete a specific order or provide a specific service.
19. Data processors recruited by the Company can process your personal data only according to our instructions and cannot use them for other purposes or transfer to others without the Company's consent. In addition, they must ensure the security of Personal Data in accordance with applicable law and written agreements with us.
20. If the Company uses the website analysis service (such as Google Analytics) to determine how you use the information provided on the Website www.grandspa.lt, the Company may exchange your depersonalized data with third parties who rely on this information to evaluate how the Website is used, to prepare reports the website operators about the Website functioning, and to provide other services related to the use of the website and the mobile application.
22. If the Data Controller will transfer Personal Data to companies or organizations in third countries, the Data Controller will ensure the procedures for ensuring the level of processing and protection of Personal Data set forth in the regulatory enactments. IV. Rights of the Data Subject
23. The data subject whose data is processed in the activities of the Data Controller has the following rights:
23.1. To know (be informed) about his data processing (right to know);
23.2. Having access to your data and the manner in which they are processed (right to access);
23.3. Request to correct or supplement the incomplete personal data (right to rectify), taking into account the purposes for the processing of personal data;
23.4. Destroy your data or suspend the processing of your data (except for storage) (right to destroy and right to “be forgotten”);
23.5. Have the right to require the data controller to restrict the processing of personal data for one of the legitimate reasons (right to limit).
23.6. Have the right to data transfer (right to transfer);
23.7. To oppose to the processing of Personal data when this data is processed or intended to be processed for direct marketing purposes, including profiling, insofar as it relates to such direct marketing;
23.9. Submit a complaint to the State Data Protection Inspectorate of the Republic of Lithuania.
23.10. Applications for the implementation of rights be submitted to the Company in writing (including the electronic format), it must also be possible to identify the person who submitted the request and the data subject. The data subject is identified from the identity document or by electronic means of communication that allows the person to be properly identified. If the request is sent by the data subject by post or by the courier, a copy of the document confirming the identity of the data subject, approved in accordance with the statutory procedure, must be attached to the application. When a person's information is being sought by his representative, he must provide a document demonstrating his right to represent and a document confirming the identity of the data subject and the representative, unless it is possible to identify the representative and the data subject in other reasonable manner. Information of third parties on the Company's website
28. Company’s contact details: Address: V. Kudirkos g. 45, LT-66120 Druskininkai, tel. +370 (693) 79272, e-mail: email@example.com