1. PURPOSE AND SCOPE
1.1. The Privacy Statement provides the information on how AB “Ignitis grupė” processes Personal Data.
1.2. The provisions of the Privacy Statement shall apply to natural persons the personal data of whom are processed by the Parent Company, e.g.:
1.2.1. employees of the Parent Company;
1.2.2. Candidates for the Parent Company;
1.2.3. members of management and/or supervisory collegial bodies and/or committees;
1.2.4. shareholders of the Parent Company, their proxies;
1.2.5. Persons who contact the Parent Company and provide their Personal Data, for example, when submitting applications, requests directly or by using remote communication means, including by phone or email;
1.2.6. Persons who visit the Parent Company’s website;
1.2.7. Counterparties, their proxies, etc., of the agreements concluded by the Parent Company.
2.1. Terminology and abbreviations used in this Privacy Statement shall have the following meanings:
2.1.1. Personal Data shall mean any information related to a natural person who can be identified directly or indirectly (e.g., name, surname, contact details, etc.).
2.1.2. Person shall mean a natural person (data subject) the data of whom are being processed (e.g., persons who contact the Parent Company when submitting applications, requests, users of the Parent Company’s website, etc.).
2.1.3. The Parent Company shall mean AB “Ignitis grupė” (data controller), legal entity code 301844044, registered office address Laisvės Ave. 10, LT-04215 Vilnius.
2.1.4. Data Processing shall mean any operation which is performed on personal data of the Person (e.g., collection, recording, storage, giving access, transferring, etc.).
2.1.5. Candidate shall mean the Person who participates in personnel selection.
2.1.6. Counterparty shall mean a party of the agreement.
2.2. Other terminology used in the Privacy Statement shall be understood as it is described in the legislation regulating the protection of personal data (the General Data Protection Regulation (EU) 2016/679 (hereinafter – the Regulation), the Law on Legal Protection of Personal Data of the Republic of Lithuania and others).
3. OBJECTIVES AND LEGAL GROUNDS OF PERSONAL DATA PROCESSING
3.1. The Parent Company shall process Personal Data only for specific purposes and on the grounds laid down in the legislation when:
3.1.1. it is necessary to process the data in order to conclude and/or carry out the agreement concluded with a Person;
3.1.2. the Person has given consent to process his or her data for one or several specific purposes;
3.1.3. the Parent Company must process Person’s data while following legislation requirements;
3.1.4. Personal Data must be processed in pursuit of legitimate interests of the Parent Company.
3.2. Principle objectives pursued by the Parent Company while processing Personal Data are the following:
3.2.1. Resolving submitted questions. The Parent Company shall process Personal Data when examining and resolving submitted questions, claims on the grounds of an agreement, consent or legislation requirements.
3.2.2. Security of Persons and objects. To ensure the security of its employees, customers, other persons recorded in video surveillance as well as security of its assets and objects, the Parent Company may carry out video surveillance on the grounds of legislation requirements or its legitimate interests.
3.2.3. Carrying out selection procedures. The Parent Company shall process Personal Data when Persons submit their curriculum vitae (CV) and other information as they participate in selections for the positions announced by the Parent Company or another Group Company, or as they wish to carry out their internship on the basis of consent.
3.2.4. Concluding and carrying out agreements. The Parent Company shall process Personal Data when concluding and carrying out agreements with Counterparties on the grounds of carrying out an agreement and/or an intention to conclude an agreement with a Counterparty;
3.2.5. Concluding and carrying out employment agreements. The Parent Company shall process Personal Data when concluding and on the grounds of an intention to conclude an employment agreement or carry out the employment agreement concluded with a Candidate;
3.2.6. Other objectives. The Parent Company may also process Personal Data for other purposes if it has received the Person’s consent, and it must process Personal Data while following legislation requirements or when it has the right to process the data in its legitimate interests.
3.3. In all of the cases mentioned above, the Parent Company shall process Personal Data insofar it is necessary to obtain respective, clearly defined and legitimate objectives with regard to the requirements of the protection of personal data.
4. PERSONAL DATA PROCESSING SCOPE (CATEGORIES)
4.1. The main Personal Data categories and the data which are processed by the Parent Company for the reasons mentioned above are the following:
4.1.1. identification data – name, surname, date of birth, etc.
4.1.2. contact information – address, phone number, email, etc.
4.1.3. professional data – qualifications, professional skills, business traits, etc.
4.1.5. other data processed by the Parent Company on the grounds laid down in the legislation.
5. OBTAINING PERSONAL DATA
5.1. The Parent Company shall process the Personal Data which was submitted by the Persons themselves or which was received by the Parent Company from other sources (e.g., registers managed by the state or private persons) or third parties, insofar it is necessary on the grounds of the agreement, consent, legislation or legitimate interests of the Parent Company.
6. PROVIDING PERSONAL DATA
6.1. Following the requirements of the legislation, the Parent Company may transfer the processed Personal Data to the recipients of the data under the following categories:
6.1.1. Service Providers. The Parent Company may transfer the processed Personal Data to third parties operating on behalf of the Parent Company and/or under its instructions that provide the Parent Company with customer service, software licencing, maintenance, employment relationship administration, sending correspondence and other services, in order to ensure proper provision, management and development of the Parent Company’s services. In such cases, the Parent Company shall take the measures necessary to ensure that the engaged service providers (data controllers) manage the submitted Personal Data only for their intended purpose of submission, ensuring proper technical and organisational security measures in accordance with the Parent Company’s instructions and the requirements of the legislation in force.
6.1.2. State, law enforcement and monitoring authorities. The Parent Company may submit the processed Personal Data to government or law enforcement authorities (e.g., the police, the prosecutor’s office, Financial Crime Investigation Service, etc.) when it is obligatory in accordance with the legislation in force or in order to ensure legitimate interests of the Parent Company, employees or third parties.
6.1.3. Other third parties. The Parent Company may submit Personal Data to other recipients of the data on legal grounds described in the legislation.
7. DATA STORAGE
7.1. The Parent Company shall process Personal Data for no longer than required for the purposes of data processing or as indicated in the applicable legislation if they establish a longer period for storing the data.
7.2. In order to determine the period for storing the data, the Parent Company shall apply the criteria that correspond to the obligations laid down in the legislation, also shall consider the rights of a Person, e.g., it shall determine the period for storing the data, during which the requirements related to the performance of the agreement may be submitted, if any, etc.
8. APPLIED SECURITY MEASURES
8.1. The Parent Company shall ensure confidentiality of Personal Data in accordance with the requirements of the legislation in force and the implementation of appropriate technical and organisational measures intended for protection of Personal Data from illegal access, disclosure, accidental loss, amendment or destruction or other illegal processing.
9. AUTOMATED DECISION-MAKING AND PROFILING
9.1. The Parent Company shall not process Personal Data based on automated processing, including profiling, as referred to in Article 22 of the Regulation.
10. PERSONAL RIGHTS
10.1. After contacting the Parent Company and confirming his or her identity, the Person shall have the right to:
10.1.1 access Personal Data concerning him or her processed by the Parent Company;
10.1.2 rectify incorrect, incomplete, inaccurate Personal Data concerning him or her;
10.1.3 erase or stop collecting Personal Data concerning him or her, except for storing, Personal Data processing where it infringes the requirements of the applicable legislation or where the Personal Data are no longer necessary in relation to the purposes for which they are collected or otherwise processed;
10.1.4 receive Personal Data concerning him or her which he or she has provided to a data controller in a structured, commonly used, machine-readable and interoperable format;
10.1.5 restrict the processing of Personal Data concerning him or her in accordance with the applicable legislation, e.g., for the period during which the Parent Company will evaluate if the Person has the right to erase their Personal Data;
10.1.6 object to processing of Personal Data concerning him or her and/or, in case Personal Data are processed on the basis of consent – withdraw his or her consent to process Personal Data concerning him or her at any time, without affecting the legitimacy of processing based on consent before its withdrawal;
11. ENFORCING PERSONAL RIGHTS
11.1. Persons can contact the Parent Company regarding the Personal Data processing it carries out in writing at: Laisvės Ave. 10, LT-04215 Vilnius, email [email protected].
11.2. Contacts of Personal Data Protection Officer of the Parent Company: [email protected]
11.3. If a Person intends to enforce his or her rights in accordance with the Regulation, he or she must submit a request in the form of the form approved by the Parent Company in person, by email, through a proxy or by electronic communication means.
11.4. When submitting a request, the Person must confirm his or her identity:
11.4.1. If the request is submitted in person, to an employee of the Parent Company, the Person must provide proof of identity.
11.4.2. If the request is submitted via mail, a notarised copy of proof of identity must be submitted together with the request.
11.4.3. If the request is submitted via proxy, the proxy must provide his or her name, surname, address and contact details for communication, which the proxy of the Person desires to receive a response by, also the name, surname and personal identification number of the Person he or she is a proxy to as well as provide a notarised copy of proof of identity together with the proof of representation or a copy of the proof of representation approved in accordance with the procedure set out by law.
11.4.4. If the request is submitted via electronic communication means, the request must be signed by a qualified electronic signature or formed by electronic means that allows to ensure the integrity and irreplaceability of the text.
11.5. The Parent Company may refuse to take actions in respect of the request of the Person if the request of the Person is clearly unjustified or disproportionate. The Parent Company shall, no later than within one month from the receipt day of the request, submit a response to the Person, which contains information about the actions taken after the request was received in accordance with Articles 15–22 of the Regulation. If necessary, the period may be extended by two months considering the complexity of the request and the number of pending requests. The Parent Company shall, within one month from the receipt of the request, inform the Person about the extension of the examined request by providing reasons for the extension.
11.6. The Parent Company has the right to refuse to provide the information requested by the Person if:
11.6.1. Personal Data were collected directly from the Person and this information has already been provided to the Person;
11.6.2. Personal Data were received not from the Person himself or herself;
11.6.3. the provision of the data requested by the Person is impossible or would require a disproportionate amount of effort;
11.6.4. the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by the European Union or the Republic of Lithuania law, including an obligation to safeguard professional secrets.
11.7. While exercising the Person’s right to access the Personal Data concerning him or her processed by the Parent Company, the Parent Company shall:
11.7.1. have the right to request the Person to specify the submitted request if the Parent Company is managing a large amount of information related to the Person;
11.7.2. submit the information to the Person to the extent it does not infringe the rights of other persons if certain information about the Person is related to other persons.
11.8. Should the issues related to processing of Personal Data by the Parent Company and/or Personal rights fail to be resolved, the Person shall also have the right to apply, submit a claim to the State Data Protection Inspectorate.
12. PERSONAL OBLIGATIONS
12.1. When providing Personal Data concerning him or her to the Parent Company, the Person shall confirm that he or she has been duly informed about the Personal Data processing terms and conditions provided in this Privacy Statement, and the provided data and information are accurate and correct.
12.2. The Person shall be obligated to inform the Parent Company about the changes in the provided data or other related information.
13. VALIDITY OF AND AMENDMENTS TO THE PRIVACY STATEMENT
13.1. This Privacy Statement contains the main provisions of Personal Data processing. Additional information about how the Parent Company processes Personal Data is available in the agreements, other documents of the Parent Company, on the website www.ignitisgrupe.lt/en or can be provided through remote channels (e.g., by email, etc.).
13.2. Should legislation requirements and/or processes, etc., of the Parent Company change, the Parent Company has a right to amend and/or supplement this Privacy Statement unilaterally. The Parent Company shall inform about the amendments to the Privacy Statement by disclosing it on the Parent Company’s website. In certain cases, the Parent Company may also inform the Persons about the changes via mail, email or otherwise (e.g., by disclosing it to the press).
14. FINAL PROVISIONS
14.1. The supervision and control of the requirements provided in the Privacy Statement shall be ensured by the employees carrying out the compliance functions within the Parent Company.
14.2. The Privacy Statement and amendments thereof shall be coordinated with Personal Data Protection Expert at AB “Ignitis grupė”.