I. GENERAL PROVISIONS
- UAB “Baltic Asset Management” ensures that personal data are processed in a lawful, fair and transparent manner, collected for specified and clearly defined purposes and are not further processed in a manner incompatible with those purposes.
Terms used in this Policy include:
- Personal Data is any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data and an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Data Controller — UAB “Baltic Asset Management”, code: 304602224, registered office address: Upės g. 21, Vilnius;
- Data Subject — Customer of the Company — any natural person whose personal data is processed by the Data Controller;
- Data processing — any operation or sequence of operations which is performed by automated or non-automated means on personal data or on sets of personal data, such as collection, recording, sorting, organisation, storage, adaptation or alteration, retrieval, access, use, disclosure by transmission, dissemination or any other means of making available, alignment with or combination with other data, restriction, erasure, or destruction.
- The concepts, principles and other provisions used in this Policy are in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as the “GDPR”), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other relevant legal acts.
The Data Subject shall be deemed to have read and understood this Policy by voluntarily leaving their data (email address and telephone number) on the website of the Company www.chapters.lt
- Please be informed that the Data Controller:
- Processes personal data in a lawful, fair and transparent manner in relation to the Data Subject (principle of lawfulness, fairness, and transparency);
- Collects personal data for specified, explicit and legitimate purposes and does not further process personal data in a manner incompatible with those purposes (purpose limitation principle);
- Collects only Personal Data that is adequate, relevant, and necessary for the purposes for which it is processed (principle of data minimisation);
- Processes only accurate Personal Data and updates it as necessary; takes all reasonable steps to ensure that Personal Data which are not accurate in relation to the purposes for which they are processed are erased or rectified without undue delay (principle of accuracy);
- Stores Personal Data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed (the principle of storage limitation);
- Processes Personal Data in such a way as to ensure, by appropriate technical or organisational measures, adequate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss or destruction (principle of integrity and confidentiality);
- The Data Controller is responsible for ensuring compliance with the above principles and must be able to demonstrate compliance with them (principle of accountability).
- The use of third-party services, such as the use of the social media accounts of the Data Controller, may be subject to the terms and conditions of third parties. Therefore, when using the services of such third parties, it is recommended that you also familiarise yourself with their terms and conditions.
II. COLLECTION, PROCESSING, STORAGE OF PERSONAL DATA
- For the purposes of the provision and performance of the services of the Company, purchasing, and participation in the activities, billing, data analysis, the Data Controller processes the following personal data relating to the Data Subject:
- name, surname,
- personal number or date of birth,
- phone number, email address,
- home address,
- bank account number (for payment for services)
- data on the real estate being bought/sold/owned by the data subject (extract of the object from the Real Estate and Cadastre Register of the State Enterprise Centre of Registers),
- IP address,
- email and social media correspondence (not public records).
For the purpose of direct marketing, the Data Controller shall process the following data of the Data Subject:
- name, surname,
- phone number, email address.
For the purposes of administering customer enquiries, providing quality services, the Data Controller shall process the following data of the Data Subject:
- name, surname,
- phone number, email address.
- Storage of personal data:
- personal data in relation to the core business of the Company, i.e., the purchase and sale of real estate, project management and development, shall be stored for 10 (ten) years. This time limit is due to the possibility of inspections initiated by various public authorities (e.g., STI, SoDra, etc.), which may start 5 (five) years after the conclusion of a specific contract (e.g., a works contract) and require data for the previous 5 (five) years;
- for direct marketing purposes (i.e., offering data subjects to buy/sell/otherwise transfer, in part or in full, real estate relevant to them, contributing to real estate projects under development), the data received shall be stored for a period of 5 (five) years from the date of receipt of data;
- for the purpose of administering enquiries, personal data is stored for 1 (one) year from the date of receipt;
- for the purpose of invoicing, personal data is stored in accordance with the legal requirements applicable to accounting.
- The data subject may at any time submit a request to withdraw consent to the processing of their personal data by sending an e-mail to the following address: email@example.com by visiting the office of the Company at the following address: Upės g. 21, Vilnius.
- The Data Controller collects personal data:
- directly from the Data Subject,
- from publicly available sources, i.e., publicly available data of business partners and/or their representatives are collected by the Company from publicly available systems (social networks, public databases, etc.) in connection with the preparation of relevant tenders, project development, etc.
- The company has a database of all real estate brokers operating in Lithuania. Their data is publicly available and accessible. Whenever the Company sends relevant enquiries to brokers, emails allow them to opt-out of receiving relevant offers of future cooperation.
- The Data Controller undertakes not to disclose the Personal Data processed to third parties except in the following cases:
- if the Data Subject has consented to such disclosure of personal data;
- when the data is provided to Data Processors providing accounting, online system support, payment and other services;
- companies affiliated with the Data Controller, as well as companies that provide services at the request of the Data Controller, e.g., banks/companies that assist with payment transactions. These companies are limited in their ability to use your information; they cannot use this information for purposes other than to provide services to the Data Controller;
- To other parties where required to do so by law or as necessary to protect the information society services provided.
- where the data are provided for other relevant purposes in the performance of statutory obligations.
Cases where the Data Controller may disclose the information of the Data Subject to other parties:
- to comply with the law or in response to a mandatory court order;
- to confirm the legality of its actions;
- to protect the Data Controller, its rights, property, or security;
- to any related third party in the event of a merger, transfer, or bankruptcy;
- in other cases, with the consent of the Data Subject or a lawful request.
- By submitting personal data, the Data Subject grants the Data Controller the right to collect, store, systematize, use and process, for the purposes provided for in this Policy, all personal data that are submitted directly or indirectly by visiting the website.
It is the responsibility of the Data Subject to ensure that the data provided is accurate, correct, and complete. Knowingly entering incorrect data is considered a breach of the Policy. If the data you have provided changes, you must rectify it without delay and, if you are unable to do so, inform the Data Controller thereof. In no event shall the Data Controller be liable for any damage caused to the Data Subject and/or third parties as a result of the incorrect and/or incomplete personal data provided by the Data Subject, or the failure to request the completion and/or modification of the data following a change in them.
The Data Controller does not collect sensitive information about the Data Subject.
The Data Controller does not carry out automated decision-making or profiling based on information about the Data Subject.
The Data Controller does not share the personal data of the Data Subject with entities outside the European Economic Area.
The Data Controller may share personal data with UAB “Baltic Asset Management” group companies and UAB “Baltic Asset Management” affiliates.
Cookies are files that store information on the hard drive of a computer or in a search engine. They can be used to identify visits to the Website of the Data Controller, to see the history of visits, and to tailor content accordingly.
Cookies are also used to ensure the most user-friendly browsing experience and the smooth functioning of the website, to monitor the duration and frequency of visits and to collect statistical information about the number of visitors to the Website. They also help to improve the functioning of the Website and to implement improvements and adapt the Website to the optimal needs of its Visitors.
The websites and social media accounts operated by the Data Controller allow the Data Subject to provide information directly to the Data Controller (for example, by subscribing to a newsletter on the website). The following information is obtained directly from the Data Subject:
The following information is obtained indirectly:
- information about how the websites of the Data Controller are used (for example, the following information may be collected):
- device information, i.e., IP address, operating system version and settings of the device used by the Data Subject to access the content/products;
- login information, i.e., the timing and duration of the use of the session by the Data Subject, the timing of requests made by the Data Subject on the websites of the Data Controller and any information stored in cookies stored on the device of the Data Subject;
- location information, i.e., the GPS signal of the device or information about the nearest WiFi access points and mobile towers, which may be transmitted to the Data Controller by the Data Subject when using the content of the websites of the Data Controller;
- information from third-party sources.
The Data Controller may obtain information about the Data Subject from public and commercial sources (to the extent permitted by applicable law) and associate it with other information received from or about the Data Subject.
The Data Controller may also obtain information about the Data Subject from third-party social networking services when the Data Subject accesses them, for example, through accounts on Facebook.
The Data Controller may collect information about the Data Subject, their device, or their use of the content of the websites with the consent of the Data Subject.
The Data Subject may choose not to provide the Data Controller with certain information (e.g., subscription or marketing information), but in this case, the Data Controller will not be able to provide the Data Subject with the most recent offers or to contact the Data Subject promptly when the Data Subject has the most suitable offer.
The processing of data by means of cookies does not allow the direct or indirect identification of Visitors to the Website.
The visitor can delete cookies from their computer or block them in their web browser, but some of the functionality of the website may not work or may not function correctly.
IV. RIGHTS OF DATA SUBJECTS
- The Data Controller shall guarantee the exercise of the rights of the Data Subject and the provision of any relevant information upon request or enquiry by the Data Subject:
- to know (be informed) about the processing of your personal data;
- to have access to your personal data and how they are processed;
- to request the rectification or deletion of your personal data or the suspension, other than storage, of processing of your personal data;
- to object to the processing of personal data, including direct marketing;
- to request the erasure of personal data (“right to be forgotten”);
- to request the portability of your personal data, i.e., access to your personal data in the form of personal data in a commonly used and computer-readable format;
- the right to lodge a complaint with the State Data Protection Inspectorate.
The Data Controller may prevent Data Subjects from exercising the above-mentioned rights where, in the cases provided for by law, it is necessary to ensure the prevention, investigation, and detection of crimes, breaches of official or professional ethics, as well as the protection of the rights and freedoms of the Data Subject or other persons.
- A data subject who has presented a document confirming their identity or who has confirmed their identity by means of the procedure established by law or by means of electronic communications (provided that they allow for proper identification of the person) shall have the right to have access to their data processed by the Company at any time, free of charge, upon submitting a request to the Controller, and to obtain information on the sources from which their personal data were collected, the purpose for which they are processed, and the recipients to whom the data is being provided and to whom it has been provided for the past 1 (one) year. The Data Subject shall also have the right to request the rectification of incorrect, incomplete, inaccurate personal data, to request the suspension, except for storage, of the processing of their personal data when the data are processed in violation of the law and the terms of this Policy.
The Data Subject may submit a request for the exercise of their above-mentioned rights at the office of the Company, at the following address: Upės g. 21, Vilnius, by filling in the application form, or by sending it by e-mail to: firstname.lastname@example.org
The Data Subject shall have the right to withdraw consent at any time to the extent that the processing of personal data is based on consent, without affecting the lawfulness of the processing based on consent prior to the withdrawal of consent, as provided for in the Policy.
- The website(s) or social media accounts of the Data Controller may contain links to third parties whose websites and services are not under the control of the Data Controller. The Data Controller is not responsible for the security and privacy of information collected by third parties. The Data Subject must be careful and read the privacy statements applicable to third-party websites and services used by the Data Subject.
- If the Data Subject is not satisfied with the response of the Data Controller or considers that the Data Controller is not processing personal data in accordance with the legal requirements, the Data Subject shall have the right to lodge a complaint with the State Data Protection Inspectorate of the Republic of Lithuania.
V. FINAL PROVISIONS
- Legal relations related to this Policy shall be governed by the law of the Republic of Lithuania.
The Data Controller shall not be liable for damages, including damages caused by interruptions in the use of the Website, for loss or corruption of data caused by the actions or omissions of the Data Subject himself or by the actions or omissions of third parties acting with the knowledge of the Data Subject, including erroneous data entry, other errors, intentional damage, or other misuse of the Website. The Website Provider shall also not be liable for interruptions of access to and/or use of the Website and/or damage caused by such interruptions due to the actions or omissions of third parties not related to the Data Controller or the Data Subject, including interruptions of the electricity supply, Internet access, etc.
Amendments or changes to the Policy shall take effect from the date of their publication on the Website.
If the Data Subject continues to use the Website after the addition or modification of the Policy, the Data Subject shall be deemed not to object to such additions and/or modifications.
RULES ON PROCESSING OF VIDEO SURVEILLANCE AND VIDEO DATA
I. GENERAL PROVISIONS
- The Rules on Video Surveillance and Video Data Processing (hereinafter referred to as the “Rules”) regulate and cover the surveillance of premises, buildings and outdoor areas of UAB “Plėtojimo projektai” (hereinafter referred to as the “Company”), recording of video data, processing of recordings (viewing, storing, transferring, sharing, using), granting, deleting and changing of access rights and powers to process personal data, procedures for managing and responding to data security breaches and rules for exercising the rights of data subjects and handling requests, ensuring compliance with and implementation of the Law on Legal Protection of Personal Data of the Republic of Lithuania, the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as “GDPR”), and of other laws and regulations governing the processing and protection of personal data.
- These Rules have been prepared in accordance with the Law on Personal Data Protection of the Republic of Lithuania (hereinafter referred to as “LRPPD”), the GDPR and its implementing legal acts, the Order of the Director of the State Data Protection Inspectorate of November 12, 2008 No.1T-71(1.12) “On Approval of the General Requirements for Organisational and Technical Measures for Personal Data Security”, other laws and legal acts regulating the personal data processing and protection.
- Terms used in these Rules include:
- Data Controller — General Data Controllers — UAB “Plėtojimo projektai”, company no. 305227656, Smolensko g. 12, Vilnius, e-mail email@example.com, tel. +37065261041 and UAB “Tvari plėtra”, company no. 305600151, Smolensko g. 12, Vilnius, e-mail firstname.lastname@example.org, tel. +37065261041, UAB “Baltic Asset Management”, company no. 304602224, Upės g. 21, Vilnius, e-mail email@example.com, tel. 37065261041.
- Data Processor — UAB “Plėtojimo projektai” company no. 305227656, Smolensko g. 12, Vilnius, e-mail firstname.lastname@example.org, tel. 37065261041 and UAB “Tvari plėtra”, company no. 305600151, Smolensko g. 12, Vilnius, e-mail email@example.com, tel. 37065261041.
- Data Subject — a natural person whose personal data is processed for the purposes specified in the Rules.
- Personal Data — any information relating to a Data Subject who is known or identifiable, directly or indirectly.
- Access to video recording equipment — physical access or access by means of electronic communication enabling a person to modify, remove or update the components or software of the technical video equipment, to set the operating parameters of the video equipment, and to have access to the personal data collected in the course of video surveillance.
- Video surveillance — the processing of video data relating to a natural person by means of automated video surveillance tools (video cameras), regardless of whether the data are stored in a medium.
- Video surveillance system — servers and/or video data recorders, CCTV cameras and data storage media that store video data.
- Video data recorders — digital devices used to capture, record, store, view, and copy video data in corporate asset accounts.
- Other terms used in the Rules shall be understood as defined in the LRPPD, GDPR and other legal acts of the Republic of Lithuania.
II. PURPOSE AND SCOPE OF CCTV CAMERAS
- The purpose of CCTV cameras is to provide a preventive security measure to ensure the protection of the property and assets of the company, its employees and customers, as well as public order and a safe environment.
- Video surveillance cameras are installed at Slucko g. 8, Vilnius and Smolensko g. 12, Vilnius.
- CCTV cameras record:
- Outdoor areas of all premises: entrance and exit areas, on-site vehicle parking areas and all other public areas of the premises;
- Internal common areas for all units: corridors, entrance and exit of the building, common kitchen and leisure areas;
- Indoor and outdoor areas are monitored 24 hours a day with cameras.
- CCTV data shall be recorded on a data storage device and stored on digital media for at least 30 calendar days. Due to the limited capacity of the hard disk, the video recorder automatically deletes the oldest videos and saves the most recent video stream in the space left available. The staff responsible for the maintenance of the CCTV system, as defined in these Rules, shall ensure the continuity of the recording of the video data and ensure that the system is free from malfunctions.
III. MANAGEMENT OF CCTV FOOTAGE
- All recorded CCTV data shall be processed by the director of the company and the person authorised by them, the administrators of the premises, the employees of the security service (hereinafter referred to as the employees responsible for the maintenance of the CCTV system), who are responsible for the organisation of the CCTV system, the processing of the CCTV data, their transfer to third parties and the protection of the CCTV data under the conditions set out in these rules, except in the case of a technical malfunction of the CCTV system or in case of preventive maintenance. These staff members, who have the right of access to the CCTV data, have signed an undertaking to protect the confidentiality of personal data and undertake to comply with the requirements laid down in the legislation on the protection of personal data.
- Staff responsible for the maintenance of the CCTV system must:
- ensure that CCTV data is not used for purposes other than those defined in these Rules;
- ensure that CCTV cameras are installed in such a way that, having regard to the stated purpose of the CCTV surveillance as set out in these Rules, the CCTV surveillance does not cover a larger part of the territory or the premises than is necessary, and does not collect more video data than is necessary;
- comply with the basic principles of image data processing and the confidentiality and security requirements established by the LRPPD, GDPR, these Rules and other legal acts;
- ensure that the CCTV system is in good working order and that technical malfunctions of the CCTV system are dealt with swiftly, using all available technical resources;
- take organisational and technical measures to ensure the security of personal data in order to prevent accidental or unlawful destruction, loss, alteration, disclosure or any other unauthorised processing of image data;
- store video data on video data recorders and/or media;
- not disclose, transmit or allow access by any means to the video data to persons not entitled to do so;
- ensure that information boards (CCTV signs) are displayed in the building entrances, premises, and areas where CCTV surveillance is being carried out, with the following information: “The area and common areas are monitored by CCTV cameras for your security. Data Controller — UAB “Plėtojimo projektai”, company no. 305227656, tel. No. +370 650 22531, e-mail: firstname.lastname@example.org”; and “The grounds and common areas are monitored by CCTV cameras for your security. Data Controller — UAB “Tvari plėtra”, company no. 305600151, tel. No. +370 650 22531, e-mail: email@example.com”.
- ensure that the information boards are posted and visible before entering the CCTV area;
- record the transmission of CCTV data in the CCTV Transmission Log;
- ensure that the area covered by CCTV cameras does not include a residence and/or its private area or entrance, as well as premises where the data subject has a reasonable expectation of absolute privacy and where such surveillance would be degrading to human dignity;
- If the staff responsible for the maintenance of the CCTV system, or other employees of the company, become aware that CCTV data they are processing has been made available (or threatened to be made available) to persons who do not have the right to process the data, they shall:
- immediately take all feasible measures to stop unauthorised access to personal data processed;
- immediately inform the employee responsible for maintaining the CCTV system and/or the company director;
- immediately inform the responsible employee, who must record the incident in accordance with the procedures established by the company.
- Access rights to recorded CCTV data shall be terminated upon the termination of the mandate of the staff member processing the CCTV data, the termination of the employment relationship, or any change in the functions of the staff member for which access to the CCTV data is no longer required.
IV. PROVISION OF VIDEO DATA AND DATA RECIPIENTS
- According to the cases and procedures established by law, the company shall provide the video surveillance data processed by it to law enforcement authorities and other persons to whom the provision of such data is obliged by law or other legal acts, or to whom the company is obliged to provide such data, according to the procedure established by law or under contractual obligations. Also, upon the request of the data recipients under at least one of the conditions for lawful processing of personal data set out in Article 6 of Regulation (EU) 2016/679. The request must specify the purpose of the use of the video data, the legal basis for the provision and receipt of the video data, and the scope of the video data requested.
- The decision to provide image data shall be taken by the director of the company or a responsible person authorised by him.
- All staff members have the right to access their image data with the consent of the Director and, in exercising this right, must comply with the requirements laid down in the legislation on the protection of personal data.
V. ORGANISATIONAL AND TECHNICAL MEASURES FOR THE SECURITY OF PERSONAL DATA
- The following organisational and technical measures for the security of personal data shall be implemented to ensure the security of video data:
- access to live video surveillance is limited to staff who need live video surveillance data to perform their job functions;
- only the staff responsible for the maintenance of the CCTV system, as specified in these Rules, shall have the right to process the recorded CCTV data;
- access to video data is secured, managed and controlled (with passwords);
- protection of personal data against unauthorised access to the local area network by means of electronic communications;
- the security of the premises where the video data is stored and the adequate protection of the data storage devices (data storage devices are kept in locked rooms/lockers, access to the relevant premises is restricted to unauthorised persons, etc.);
- protection of computer equipment against malicious software (installation and updating of antivirus programmes, etc.);
- information on the fact that video surveillance is in progress is provided in all cases, regardless of the fact that at some designated locations video surveillance is not in progress at the time (e.g., a CCTV camera is not in operation all the time, at a fixed interval, etc.).
VI. RIGHTS AND OBLIGATIONS OF THE DATA SUBJECT
- The Data Subject shall have the following rights: to receive information about the processing of the data; to have access to the data; to request the erasure of the data (“right to be forgotten”) if the image data are stored for longer than the retention period set out in these Rules; to restrict the processing of the data; to object to the processing of the data.
- A copy of the CCTV footage (if the footage is stored) may only be provided upon the written request of the data subject or in accordance with the procedure established by law.
- A request from a Data Subject who wishes to receive a video recording (copy) of a third party other than himself or herself must specify the purpose of the use of the personal data, the legal basis for the provision and receipt of the personal data, and the scope of the personal data requested.
- Upon receipt of an enquiry from a person concerning the processing of video data relating to them, the company shall respond within 30 calendar days of receipt of the request, at the latest, as to whether the video data relating to the person is being processed, stored, and, if so, the procedure for providing such data.
- Upon a request by a data subject for access to their video data, the requested video data may be made available to the data subject by making the video available for viewing on the premises of the company and/or by making a copy of the video available on an external storage medium if the video data are stored.
- At the request of law enforcement authorities or other authorities to which the company undertakes to provide data in accordance with the procedure laid down by law, the video/copy recorded by CCTV cameras may be released without the consent of the persons captured in the video.
- In order to protect the personal data and interests of the customers of the company, third parties are only allowed to take photographs, video, or audio recordings in all premises and areas of the service stations upon request and with the prior permission of the management of the company, stating the reason for which they wish to take video/photographs/audio recordings and the legal grounds for doing so.
- The decision to allow photography, filming or audio-recording on the premises and in the area shall be taken by the director of the undertaking or the responsible person authorised by him.
VII. FINAL PROVISIONS
- These Rules shall be published on the website of the company www.chapters.lt and on the information boards of the premises being filmed.
- All employees of the company shall be informed of the Rules in a signed form and thereby undertake to comply with the Rules and other legal acts establishing the requirements for processing of personal data.
- The employees of the company who violate the requirements of these Rules shall be held liable in accordance with the procedures established by law.