1. PURPOSE OF THE PRIVACY POLICY

The purpose of this Privacy Policy is to inform how the personal data of data subjects is collected and processed, to explain how long the data is retained, to whom it may be disclosed, what rights the data subjects have, and where to turn for exercising these rights or for any other questions related to personal data processing.

Personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other legal acts governing personal data protection.

UAB “Sistemų registras” adheres to the following key data processing principles:

• Personal data is collected only for clearly defined and legitimate purposes;

• Personal data is processed lawfully and fairly;

• Personal data is regularly updated;

• Personal data is stored securely and not longer than required by the defined purposes of processing or applicable legal acts;

• Personal data is processed only by employees of the company who are authorized to do so according to their job functions, or by properly authorized data processors.

2 DEFINITIONS

2.1. Data Controller – UAB “Sistemų registras” (hereinafter – the Company), legal entity code 302834882, registered address: Taikos pr. 131B, Kaunas.

2.2. Data Subject – any natural person whose personal data is processed by the Company.

The Data Controller collects only the personal data necessary to carry out the Company’s activities and/or when visiting, using, or browsing the Company’s websites, LinkedIn social network page, etc. (hereinafter – the Website). The Company ensures that the collected and processed personal data is secure and used solely for a specific purpose.

2.3. Personal Data – any information that directly or indirectly relates to a Data Subject whose identity is known or can be directly or indirectly determined by using relevant data. Personal data processing means any operation performed on personal data (including collection, recording, storage, editing, modification, access provision, queries, transfer, archiving, etc.).

2.4. Consent – any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they agree to the processing of their personal data for a specified purpose.

3 SOURCES OF
PERSONAL DATA

3.1. Personal data is provided directly by the data subject. This occurs when the data subject contacts the Company, uses its services, leaves comments, asks questions, or requests information from the Company.

3.2. Personal data is obtained when the data subject visits the Company’s website. This includes situations where the data subject fills out forms on the website or otherwise submits their contact information.

3.3. Personal data is obtained from other sources. This may include information from other institutions or companies, publicly available registers, and similar sources.

4 PROCESSING OF PERSONAL DATA

4.1. By providing personal data to the Company, the data subject agrees that the Company may use the collected data to fulfill its obligations to the data subject and to provide the services expected by the data subject.

4.2. The Company processes personal data for the following purposes:

4.2.1. To ensure and maintain the continuity of the Company’s operations. The following data is processed for this purpose:

• Personal data of suppliers (natural persons) may be processed for the purpose of contract conclusion and execution, including: first name(s), surname(s), personal identification number or date of birth, place of residence (address), phone number, email address, employer, job title, bank account number and the bank where the account is held, date and details of monetary transactions or contracts (amount, currency), and other data provided by the person, received by the Company under applicable laws during the course of its business, and/or data that the Company is legally obliged to process.

• For example, this may include data contained in a business certificate (type of activity, group, code, title, activity period, date of issuance, amount), individual activity certificate number, VAT payer status, and other data required to properly perform contractual obligations and/or comply with legal requirements.

• Contracts, VAT invoices, and other related documents are stored in accordance with the retention periods specified in the General Document Storage Index approved by the Chief Archivist of Lithuania. The legal basis for processing this data is: the necessity to perform a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b)), and in cases where certain personal data must be processed due to legal obligations – compliance with a legal obligation (GDPR Article 6(1)(c)).

4.1.2. Administration of inquiries, comments, and complaints. The following data is processed for this purpose:

• First name(s), surname(s) and/or username, email address, phone number, address, subject of the message, comment, review, or complaint, and the content of the message, comment, review, or complaint.

• Data related to inquiries, comments, and complaints is stored for 1 calendar year from the date of submission.

• The legal basis for data processing is the legitimate interest of the data controller or a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring personal data protection, especially if the data subject is a child) (GDPR Article 6(1)(f)), as well as the data subject’s consent (GDPR Article 6(1)(a)).
  

5 USE OF SOCIAL
MEDIA

5.1. All information you provide through social media platforms (including messages, use of “Like” and “Follow” buttons, and other communications) is controlled by the respective social media network operator.

5.2. Our Company currently maintains an account on the LinkedIn social network. Its privacy policy is available at: https://www.linkedin.com/legal/privacy-policy

5.3. We recommend that you read the privacy policies of third parties and contact the service providers directly if you have any questions about how your personal data is used by them.

6 DISCLOSURE OF PERSONAL DATA

6.1. The Company is committed to maintaining confidentiality with respect to data subjects. Personal data may be disclosed to third parties only when necessary for the conclusion and execution of a contract in favor of the data subject, or for other legitimate reasons.

6.2. The Company may provide personal data to its data processors, who provide services to the Company and process personal data on its behalf. Data processors are authorized to process personal data only in accordance with the Company’s instructions, and only to the extent necessary to fulfill the obligations set out in the agreement. The Company engages only those processors who adequately ensure the implementation of appropriate technical and organizational measures in such a way that the processing complies with the requirements of the Regulation and ensures the protection of the data subject’s rights.

6.3. The Company may also disclose personal data in response to requests from courts or governmental authorities, to the extent necessary to properly comply with applicable legislation and official instructions.

6.4. The Company guarantees that personal data will not be sold or rented to third parties.

7. PROCESSING OF MINORS’ PERSONAL DATA

7.1. Individuals under the age of 14 are not permitted to submit any personal data via the Company’s website. If a person is under 14 years old and wishes to use the Company’s services, a written consent from a legal representative (parent or guardian) must be provided prior to submitting any personal information.

8. PERSONAL DATA RETENTION PERIOD

8.1. The personal data collected by the Company is stored in printed documents and/or in the Company’s information systems. Personal data is processed no longer than necessary to achieve the purposes of processing or as long as required by data subjects and/or applicable legal acts.

8.2. Although a data subject may terminate the contract and discontinue the use of the Company’s services, the Company is still obliged to retain the data subject’s personal data in case of potential future claims or legal disputes, until the applicable retention periods expire.

9 RIGHTS OF THE DATA SUBJECT

9.1. The right to receive information about data processing.

9.2. The right to access personal data being processed.

9.3. The right to request the rectification of data.

9.4. The right to request the erasure of data (“Right to be forgotten”). This right does not apply if the personal data requested for erasure is processed on another legal basis, such as processing necessary for the performance of a contract or for compliance with legal obligations.

9.5. The right to restrict data processing.

9.6. The right to object to data processing.

9.7. The right to data portability. This right must not adversely affect the rights and freedoms of others. The data subject does not have the right to data portability with respect to data processed in non-automated, structured files, such as paper-based records.

9.8. The right to request that no decision based solely on automated processing, including profiling, be applied.

9.9. The right to lodge a complaint with the State Data Protection Inspectorate regarding the processing of personal data.

9.10. The Company is obliged to enable the data subject to exercise the above-mentioned rights, except in cases defined by law, where data processing restrictions are necessary to ensure national security or defense, public order, prevention, investigation, detection or prosecution of criminal offenses, important state economic or financial interests, prevention, investigation or detection of breaches of professional or official ethics, or the protection of the rights and freedoms of the data subject or other individuals.

10 PROCEDURE FOR EXERCISING DATA SUBJECT RIGHTS

10.1. To exercise their rights, the data subject may contact the Company:

10.1.1. By submitting a written request in person, by mail, through an authorized representative, or via electronic communication – by email: info@sertifikuoti.lt

10.1.2. Orally – by phone: +370 698 31801

10.1.3. In writing – to the address: Taikos pr. 131B, Kaunas

10.2. In order to protect personal data from unauthorized disclosure, the Company, upon receiving a data subject’s request to access data or exercise other rights, must verify the identity of the data subject.

10.3. The Company shall respond to the data subject no later than one month from the date of receiving the request, taking into account the specific circumstances related to the processing of personal data. If necessary, this period may be extended by an additional two months, depending on the complexity and number of requests.

11. DATA SUBJECT’S RESPONSIBILITY

11.1. The data subject must:

11.1.1. Inform the Company about any changes to the information and data provided. It is important for the Company to have accurate and up-to-date information about the data subject;

11.1.2. Provide the necessary information so that, upon request, the Company can identify the data subject and ensure that it is communicating or cooperating with the correct individual (e.g., by presenting an identity document or using methods required by law or secure electronic communication that allows for proper identification). This is essential to protect the data subject’s and other individuals’ data, ensuring that information is disclosed only to the correct person and without infringing upon the rights of others.

12 FINAL
PROVISIONS

12.1. By submitting personal data to the Company, the data subject agrees to this Privacy Policy, understands its provisions, and commits to complying with them.

12.2. As the Company’s activities evolve and improve, the Company reserves the right to unilaterally amend this Privacy Policy at any time. The Company has the right to modify the Privacy Policy in part or in full by publishing a notice on its website at www.sertifikuoti.lt.

12.3. Any amendments or additions to the Privacy Policy shall enter into force from the date of their publication, i.e., from the date they are posted on the website www.sertifikuoti.lt.

Privacy Policy