1. The present Marketing Policy (hereinafter referred to as “the Policy”) of UAB BIOGAMI (hereinafter referred to as “the Company”) sets out the principles, purposes, and data protection requirements governing the Company’s marketing and advertising activities and the processing of personal data in connection therewith as well as their implementation.
2. The Policy has been drawn up in accordance with the General Data Protection Regulation (EU 2016/679) (hereinafter referred to as the “GDPR”), the Law on Legal Protection of Personal Data (No. 63-1479, dated 3 July 1996) and other legislation on the protection of personal data.
3. Terms used in this Policy:
3.1. Direct marketing involve activities aimed at offering goods or services to persons by e-mail, telephone, or other direct means and/or seeking their opinion on the goods or services offered;
3.2. Data controller – UAB BIOGAMI (company code: 302712857, address: Europos pr. 124, LT-46351 Kaunas) means a legal person who acts as a controller of Personal Data and who, alone or jointly with others, determines the purposes and means of processing;
3.3. Personal data means information about an identified or identifiable natural person (data subject) for the purposes of marketing by the Data Controller, including, but not limited to, the person’s name, job title, image (photograph), video (footage);
3.4. Data subject is a natural person whose personal data is processed by the Company;
3.5. Processing means any operation or sequence of operations which is performed upon personal data or sets of personal data, by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data;
3.6. Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
3.7. Recipient – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
3.8. Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
4. The Data Controller shall ensure that by adopting and implementing this Policy, it aims to implement the following fundamental principles relating to the processing of personal data:
4.1. The processing of Personal Data in relation to the Data Subject shall be carried out in a lawful, fair, and transparent manner (the principle of lawfulness, fairness, and transparency);
4.2. Personal Data are collected for clearly defined and legitimate purposes and are not further processed in a manner incompatible with those purposes;
4.3. The further processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes shall not be considered incompatible with the original purposes (‘purpose limitation’);
4.4. Personal data are adequate, relevant, and only those necessary for the purposes for which they are processed (‘minimisation’);
4.5. Efforts shall be made to ensure that personal data are accurate and, where necessary, updated within a reasonable period of time after the fact of change;
4.5. Every reasonable measure shall be taken to ensure that personal data which are not accurate in relation to the purposes for which they are processed are erased without undue delay or rectified within a reasonable period of time (‘accuracy’);
4.6. Personal data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed;
4.7. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
4.8. Taking into account the generic nature of the personal data processed by the Controller, personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);
4.9. The controller shall be responsible for, and be able to demonstrate compliance with the above listed principles (‘accountability’).
7. The personal data referred to in Clause 6 of these Rules shall be collected and processed only with the consent of the Data Subject:
7.1. The consent of customers and/or third parties to participate in the marketing activities conducted by the Company shall be obtained directly from the customer/third party by the data subject providing personal data on the Company’s website, informing the customer/third party about the personal data being collected, the purposes for which the data will be used, and the customer’s/third party’s rights and the exercise of his/her rights as a Data Subject;
8. Customers and third parties on the basis of whose consent their personal data is processed for the purpose of carrying out marketing activities shall be informed of their right to withdraw their consent to the processing of their personal data for the purpose of marketing at any time, without prejudice to data lawfully processed on the basis of their consent prior to the withdrawal of consent.
9. Persons who have consented to receive newsletters by e-mail may withdraw their consent to direct marketing at any time by contacting the Company directly by telephone or e-mail (firstname.lastname@example.org).
10. Personal data processed for the purposes referred to in Clause 5 of this Policy shall be stored in accordance with the General Index of Document Retention Periods approved by the Chief Archivist of Lithuania, but no longer than required for the purposes of personal data processing referred to in Clause 6 of this Policy:
10.1. Consents to the processing of personal data – 1 year (after the expiry of the retention period of the personal data for which consent was given);
10.2. Contracts for goods, works, services, certificates of acceptance for goods, works and services – 10 years (after the expiry (end) of the contract).
11. Personal data provided in consents and other documents are stored in the cloud managed by the Company.
12. At the end of the retention period, the personal data contained in the above-mentioned documents shall be transferred to the archive and stored in accordance with the Order of the Chief Archivist of the Republic of Lithuania of 9 March 2011 (Order No. V-100) which approves the General Index of Document Retention Periods, within the time limits indicated in the Index of Document Retention Periods, and shall be destroyed on expiry of the time limits.
13. Data erasure is carried out by deleting data from all applications and systems used by the Company, without the possibility of recovery.
14. Personal data processed for the purposes of marketing as set out in this Policy is/may be transferred to recipients such as:
14.1. State bodies and institutions, other persons exercising functions assigned to them by law (e.g. the State Tax Inspectorate, SODRA (social insurance fund), law enforcement authorities, authorities supervising the Company).
15. Data processors authorised by the Company – Third Parties:
15.1. Parties that maintain registers and/or IT systems (in which personal data are processed) or that act as intermediaries for the provision of personal data from such registers;
15.2. Companies and/or individuals providing advertising and marketing services;
16. Other persons related to the Company’s activities, such as archivists, postal service providers, Partners, Suppliers, other authorized parties related to the Company’s marketing process.
17. The data protection legislation provides Data Subjects whose personal data is processed for the purposes set out in this Policy with rights in relation to the processing of personal data:
17.1. Right of access: The Data Subject shall have the right to request confirmation from the Company as to whether or not his or her personal data are being processed and, in such cases, to request access to the personal data processed. In order to exercise this right, the Data Subject may submit a written request to the Data Protection Officer of the Company at email@example.com;
17.2. Right to rectification: if the Data Subject considers that information about him or her is incorrect or incomplete, he or she has the right to request its rectification. In order to exercise this right, the Data Subject may submit a written request to the Company at firstname.lastname@example.org;
17.3. Right to object: The Data Subject shall have the right to object to the processing of personal data where the processing is not based on the legitimate interests of the Company. However, notwithstanding the Data Subject’s objection, the Company will continue to process your data where there are legitimate grounds for continuing to process the data. In order to exercise this right, the Data Subject may submit a written request to the Company at email@example.com;
17.4. Right to erasure (‘right to be forgotten’): in certain circumstances, the Data Subject shall have the right to request that the Company erase their personal data. However, this does not apply if the Company is required by law to retain the data. In order to exercise this right, the Data Subject may submit a written request to the Company at firstname.lastname@example.org;
17.5. Right to restriction of processing: in certain circumstances, the Data Subject shall also have the right to restrict the processing of his or her personal data. In order to exercise this right, the Data Subject may submit a written request to the Company at email@example.com;
17.6. The right to lodge a complaint about the improper processing of your personal data with the State Inspectorate for the Protection of Personal Data, either directly at L. Sapiegos g. 17, Vilnius or by email to firstname.lastname@example.org.
18. The Company shall, upon receipt of a request to cease processing personal data which is subject to optional processing, cease the processing of such data within 30 calendar days of the Data Subject’s request, unless this is contrary to the requirements of the legislation, and shall inform the Data Subject in writing thereof.
19. This Policy applies to all data subjects of the Company whose personal data is processed for marketing purposes as set out in this Policy.
20. The Company shall have the right to amend/update this Policy at any time in the event of changes in the marketing process and/or legislation governing the Company’s activities and/or marketing. Data Subjects may consult the changes to the Policy by visiting the Company and the Company’s website.
21. These Rules shall enter into force on 11 November 2022.
CONSENT TO THE PROCESSING OF PERSONAL DATA FOR DIRECT MARKETING PURPOSES
I, ______________________________________________________________________________, that
(name, surname, agree/disagree)
1. UAB BIOGAMI (company code 302712857, address Europos pr. 124, LT-46351 Kaunas) (hereinafter referred to as the “Data Controller”) processes my personal data for direct marketing purposes, including the provision of personalised offers.
2. I confirm that:
2.1. I have been informed that for direct marketing purposes, the Data Controller will process the following personal data about me for a maximum period of 3 (three) years:
2.1.1. The email address that I have entered on the website in order to receive newsletters sent by the Company;
2.1.2. The telephone number that I provide at the time of ordering when consenting to receive direct marketing communications.
2.2. After the expiry of the term of data processing for direct marketing purposes or if I withdraw my consent, the Data Controller will retain data on the fact of giving this consent for 5 (five) years from the expiry of the term of data processing referred to in this paragraph or the withdrawal of the consent, for the purpose of lodging, exercising or defending the Data Controller’s legal claims;
2.3. I have been informed that my personal data processed for the purpose of direct marketing may be transferred by the Data Controller to data processors who provide direct marketing services to the Data Controller and process the data on behalf of the Company;
2.4. I am aware that I have the right to object, without providing any grounds for objection, to the processing of my personal data for direct marketing purposes, including profiling, insofar as it relates to direct marketing except where such processing is carried out for the purposes of a legitimate interest pursued by the Data Controller or by a third party to whom the personal data are disclosed and where my interests are not overriding.
2.5. I am aware of my rights as a data subject::
2.5.1. The right to know (be informed) about the processing of personal data;
2.5.2. To have access at any time to my personal data processed and learn how they are processed;
2.5.3. The right to request the rectification, destruction of personal data or suspension of the processing of personal data other than storage;
2.5.4. Where the processing is not in accordance with the provisions of the legislation, to request that the personal data processed, if processed by automated means, be transmitted by the data controller to another data controller or to me, if this is technically feasible (the right to portability of personal data);
2.5.5. If the data controller has violated my rights, to lodge a complaint about the processing of personal data with the State Data Protection Inspectorate directly or by email to email@example.com.
2.6. I am aware that I can inform the Data Controller at any time that I do not wish to receive personalised offers and advertising. I can opt out of offers and advertising by contacting the Data Controller by e-mail: firstname.lastname@example.org;
3. ŽI am aware and understand that in order to obtain more information about the processing of my personal data, I can contact the Data Controller directly by email at email@example.com.
4. This Consent is given freely. I have read and agree to the processing of my personal data for direct marketing purposes.