Personal data are processed in observance with the General Data Protection Regulation of the European Union (EU) 2016/679 (hereinafter referred to as the Regulation), Law on Legal Protection of Personal Data of the Republic of Lithuania and other effective legislation regulating the protection of personal data.
Private Limited Company NORFOS MAŽMENA UAB adheres to the following major principles of the data processing:
- personal data shall be collected for specified, explicit and legitimate purposes only;
- personal data shall be processed lawfully, fairly and in transparent manner;
- personal data shall be kept up to date;
- personal data shall be kept for no longer than it is required by the set purposes of the data processing or effective legislation;
- personal data shall be processed by the personnel entitled to do so within the framework of their functions assigned, or by duly authorized processors.
1.1. Data controller - Private Limited Company NORFOS MAŽMENA UAB (hereinafter referred to as the Company), legal entity code 110778328, address Savanorių Ave. 176 B, Vilnius.
1.2. Data subject shall mean any natural person whose data are processed by the Company for the purposes of conducting the Company’s activities. The Company shall ensure the personal data collected and processed are stored in a secure manner and used for the specific and explicit purpose only.
1.3. Personal data shall mean any information relating to a data subject who is known or who can be identified directly or indirectly by reference to specific data. Data processing shall mean any operation, which is performed with personal data such as collection, recording, storage, alteration (supplementing or rectifying), making available, requesting, portability, archiving, etc.).
1.4. Consent shall mean an indication of will given freely by a data subject indicating their agreement to the processing of their personal data for a specific purpose.
2. SOURCES OF PERSONAL DATA:
2.1. Personal data are submitted by the data subject. The data subject applies to the Company, bene fits from theservices provided by the Company, acquires the goods, participates in the customer loyalty programmes, lotteries or contests, surveys or researches, leaves their comments, asks questions, subscribes to newsletters.
2.2. Personal data are collected when the data subject visits the Company’s website www.norfa.lt.
3. PROCESSING OF PERSONAL DATA:
3.1. By submitting their personal data to the Company, the data subject gives their consent for the Company to use the data collected in line with the obligations given to the data subject and within the scope of its services expected by the data subject. The Company processes personal data for the following purposes:
3.1.1. Awarding and performance of contracts with the data subject regarding the Company’s services provided and received; maintenance of contacts to ensure accessibility to the data subjects; accounting of taxes and control of contributions. Thus, the following data are collected:
- Name, surname
- Contact details (telephone number, e-mail address)
- Place of employment and position (if the details are given by a legal entity)
- Place of residence (for the billing / invoicing purposes)
- Bank details (if the Company receives the services provided by a natural person)
3.1.2. NORFA discount cards (loyalty programme). The card holder signs into their card account voluntarily on http://www.norfa.lt/lt/mano-norfa/. The card holder indicates their e-mail address and card number. Thus, the following data are collected:
- Discount card number
- Accrued cash
3.1.3. Games, contests. Thus, the following data are collected:
- Name, surname
- Contact details (telephone number, e-mail address)
- Place of residence
3.1.4. Direct marketing (subscription to newsletters) upon registration on www.norfa.lt and selecting subscribe to our NEWSLETTER. Thus, the following data are collected: - E-mail
3.1.5.Video surveillance to ensure the safety of employees, other data subjects and property. Thus, the following data are collected:
- Picture of view. Video surveillance devices have no face recognition and (or) analysis software, the images taken are not being grouped or profiled in relation to a specific data subject (person). The data subject is notified on existing video surveillance by the signs with a video cam symbol and Company’s data which are clearly and properly provided prior to
the entrance to the premises or territory in which video surveillance is used. Video surveillance does not cover the area where the data subject reasonably expects absolute protection of privacy.
3.1.6. For any other purposes where the Company is entitled to the data processing provided for an advance consent of the data subject has been obtained, and where the data must be processed for the purposes of a legitimate interest of the Company, or where the data processing is mandatory for the Company to abide to the effective legislation.
4. SUBMISSION OF PERSONAL DATA:
4.1. The Company shall undertake to comply with the requirements on confidential accessibility in regards to the data subjects. Personal data shall be disclosed to those data recipients who provided with the services related to the customer administration only. Such persons are website designers and administrators, suppliers and administrators of data base software, etc. The data recipients shall be entitled to the data processing in observance with the Company’s instructions and to the extent necessary to ensure a proper performance of their contractual obligations. Moreover, the data recipients shall ensure the security of the personal data of the subjects set forth by the effective legislation. Accordingly, the Company shall use the services of those data recipients who, in an appropriate extent, ensure that
sufficient technical and organisational measures are integrated in such a manner that the receipt of the data would comply with the requirement of the Regulation and ensure the protection of the data subject’s rights.
4.2. The Company may outsource the processing of personal data to the processors who provide the Company with relevant services and process the personal data on the Company’s behalf. The processors shall be entitled to the data processing in observance with the Company’s instructions and to the extent necessary to ensure a proper performance of their contractual obligations. The Company shall use the services of those processors who, in an appropriate extent, ensure that sufficient technical and organisational measures are integrated in such a manner that the processing of the data would comply with the requirement of the Regulation and ensure the protection of the data subject’s rights.
4.3. The Company may also submit the Customers’ data as a response to the requests from judicial or governmental authorities to the extent necessary to ensure an appropriate compliance with the effective legislations and directives of the authority institutions.
4.4. The Company shall ensure that the personal data are not sold or leased to the third persons.
5. STORAGE PERIOD OF PERSONAL DATA:
5.1. Personal data collected by the Company are stored in information systems of the Company. For the purposes of direct marketing, personal data shall be processed as long as the Company has the data subject’s consent to process their data for the purposes of direct marketing and until the data subject does not refuse the processing by selecting the link unsubscribe. For the purposes of the loyalty programme, personal data shall be processed as long as the data subject participates in NORFA loyalty programme or in its relevant part. If the data subject does not use NORFA card for two consecutive years, after that term NORFA card shall be blocked and the personal data of the subject shall be erased.
6. RIGHTS OF THE DATA SUBJECT:
6.1. To be aware of what and how their personal data are being processed. The data subject shall be entitled to being aware of their data processed, purposes of processing, storage duration, their rights, information on whether the decision making is automated or not, including profiling and sampling rationale.
6.2. To request the rectification of their data.
6.3. To refuse the processing of their personal data.
6.4. At any time to revoke their consent to process personal data for the purposes of direct marketing.
6.5. To request the erasure of their data (right to be forgotten). The right shall not be applicable in cases where the personal data pending for the erasure are being processed on a legal basis such as performance of the contract or execution of the duty mandatory under the effective legislation.
6.6. Right to data portability. The right to the data portability shall not adversely affect the rights and freedoms of others.
6.7. Right to restriction of processing.
6.8. Right to lodge a complaint regarding the processing of personal data.
6.9. The Company shall assist the data subject in implementing the priority rights of the Data subjects, except for the cases embedded by the effective legislation, where the State security and defence, public order, prevention of criminal offences, investigation, detection or prosecution thereof, significant State economical or financial interests, prevention of breaches of integrity rulings or professional ethics, investigation and detection thereof, protection of the rights and freedoms of the data subject or other persons must be ensured.
7. TO ENFORCE THE RIGHTS OF THE DATA SUBJECT, PLEASE CONTACT:
7.1. You may submit a written request in person, via ordinary mail, a representative or by e-communication means to e-mail: firstname.lastname@example.org:
7.1.1. in writing – address: Savanorių Ave. 176 B, LT-03154 Vilnius.
7.2. To protect the data against an unauthorized disclosure, upon the receipt of the data subject’s request to provide with the data or enforce any other rights, the Company shall verify the identity of the data subject.
7.3. In case of the failure to reach a consensus, the data subject shall be entitled to applying to the State Data Protection Inspectorate (www.ada.lt) which is responsible for the supervision and control of the legislation regulating the protection of personal data.
8. RESPONSIBILITY OF THE DATA SUBJECT:
8.1. To inform the Company on the change of any information and data provided. It is a key importance for the Company to have an accurate and up-to-date information on the data subject.
8.2. To provide with required information to enable the Company, if it receives a request from the data subject, to identify the data subject and make sure it communicates or cooperates with the right data subject (provide with any identification document, or in the procedure laid down by the effective legislation, or via e-communication means enabling a proper identification of the data subject). That is necessary to protect personal data of the data subjects and other persons to ensure that the information on the data subject disclosed is provided to that data subject only and to avoid the infringement of other persons’ rights.
9. FINAL PROVISIONS