Privacy Policy

The purpose of this Privacy Policy is to provide information about the collection and processing of personal data on data subjects, to specify the data storage terms and data recipients, to explain the data subjects’ rights and the procedure for exercising them, and where to apply concerning the rights or on other matters related to the personal data processing. Personal data are processed in accordance with Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), the Republic of Lithuania Law on the Legal Protection of Personal Data and other legal acts governing personal data protection. Enlito Group applies the following main principles of data processing:

– personal data are collected only for clearly defined and lawful purposes;

– personal data are always processed lawfully and in good faith;

– personal data are updated constantly;

– personal data are securely stored, for no longer than required by set personal data processing objectives and legal acts;

– processing of personal data is entrusted only to those employees of Enlito Group that are authorised to do so according to their work functions or by duly authorised data processors.

1. Terms and Definitions

1.1. Data controller means Enlito Group (the ‘Company’), address Laisvės g. 4, Marijampolė.

1.2. Data subject means any natural person whose data are processed by the Company. The data controller limits the data collection to the data required for the carrying out of the Company‘s operations and/or visiting, browsing and using the Company‘s websites, Facebook account etc. (the ‘Website’). The Company ensures that the personal data collected and processed are safe and are used for specified purposes only.

1.3. Personal data means any information relating to an identified or identifiable data subject’ who can be identified, directly or indirectly, by using relevant data. Personal data processing means any operation which is performed on personal data (such as collection, recording, storage, editing, alteration, granting access, making queries, transmission, archiving etc.).

1.4. Consent means any freely given, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her.

2. Sources of Personal Data

2.1. Personal data are provided by the data subject himself/herself, by applying to the Company, using the Company‘s services, buying its goods and/or services, leaving comments, asking questions, subscribing to newsletters, requesting information etc.

2.2. Personal data are obtained while the data subject visits the Company‘s website. The data subject fills in forms on the Website, leaves their contact details in it etc.

2.3. Personal data can also be obtained from other sources – other institutions or enterprises, public registers etc.

3. Personal Data Processing

3.1. By providing their personal data to the Company, the data subject agrees to the use of such data by the Company for the fulfilment of its obligations to the data subject and for the provision of the services expected by the data subject.

3.2. The Company processes personal data for the following purposes:

3.2.1. Securing performance and continuity of the Company‘s operations. The following personal data are processed for these purposes:

– Conclusion and performance of contracts/agreements – the Company may process personal data on its suppliers (natural persons): first name/names, surname/surnames, personal ID No or date of birth, place of residence (address), telephone number, email address, place of work, job title, bank account number and bank name; date, amount and currency of a payment transaction as well as other data that are provided by the individual and which the Company receives under the law, in carrying out its activities, or the processing of which is mandatory under the laws and/or other legal acts. E. g. details contained in the person‘s business licence (type, group, code and description of the activity, periods of carrying out the activity, date of issue, amount), number of the certificate of individual business activities issued to the person; indication of whether the data subject is registered for VAT and other data required for the proper performance of the contract/agreement or statutory duties;

– Contracts, agreements, tax invoices and other relevant documents are stored in accordance with the Directory for Storage of General Documents approved by order of the Chief Archivist of Lithuania and within time limits stated therein.

– Legal ground for the data processing – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of GDPR), where the Company is obligated to process certain personal data by law (Article 6(1)(c) of GDPR).

3.2.2. Provision of employment services. The following data are processed for this purpose:

– first name/names, surname/surnames, personal ID number, signature, contact details (telephone number, email address), place of work and job title, other information that the person has decided to provide; the candidate‘s letter of reference and motivational letter containing information about previous and current work functions, competencies and personal characteristics);

– Personal data are stored for 10 years after the end of the contractual relationship with the client. Legal basis for the personal data processing – processing is necessary for the performance of a contract to which a data subject – a trainee/intern is party, or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of GDPR), and the data subject‘s consent (Article 6(1)(a) of GDPR).

3.2.3. Administration of the database of CVs submitted by candidates for jobs. The following data are processed for this purpose:

– first name/names, surname/surnames, date of birth (age), place of residence (address), contact details (telephone number, email address), educational attainment (educational establishment, study period, education and/or qualification attained), information on skills improvement (training attended, certificates acquired), work experience (place of work, period of work, job title, responsibilities and/or achievements), proficiency in languages, IT and driving skills, other competencies, and other information provided in the CV, motivational letter or other documents of the candidate, letters of reference and feedback from employers: persons that recommend the candidate/provide feedback, their contact details, and content of the letter/feedback.

– After the end of the period of selection for a position, if the data subject‘s candidacy was no selected and employment contract was not concluded, the Company will delete the CVs and other data submitted by the candidate unless the Company has received the candidate‘s consent to process their personal data for a longer period and offer them a job. In such a case, the candidate‘s data are stored for 1 (one) months after the data submission date, by automated means. On expiry of the said data processing and storage term, the data controller‘s authorised employees will destroy the personal data within 1 (one) calendar week. A longer personal data storage term may be applied if the personal data are necessary for the purposes of resolution of a dispute/handling of a complaint, or on other statutory grounds.

– Legal ground for the data processing – the data subject‘s consent (Article 6(1)(a) of GDPR).

3.2.4. Administration of queries, comments and complaints. The following data are processed for this purpose:

– Name and/or username, telephone number, email address, text of relevant message, comment, feedback or complaint.

– Data on queries, comments and complaints are stored for one calendar year after submission thereof.

– Legal ground for the data processing – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of GDPR) and the data subject‘s consent (Article 6(1)(a) of GDPR).

3.2.5. Ensuring quality of telephone consulting on the Company‘s services by improving customer service and ensuring that information is provided in a qualified manner and effectively (recording of telephone conversations). The following data are processed for this purpose:

– Recording of the telephone conversation, caller‘s number and call recipient‘s number, date and length of the conversation.

– Recordings of telephone conversations are stored for one month.

– Legal ground for the data processing – the data subject‘s consent (Article 6(1)(a) of GDPR).

3.2.6. Direct marketing. The following data are processed for this purpose:

– first name/names, surname/surnames, telephone number, email address.

– Personal data are stored for 5 years after the day when the consent was given. This term may be extended if personal data are or can be used as evidence or an information source in a pre-trial investigation or another investigation including by the State Data Protection Service, or civil, administrative or criminal proceedings, or in other cases prescribed by the law. In such cases, personal data can be stored as long as necessary for such data processing purposes, and will be destroyed as soon as they are no longer necessary.

– Legal ground for the data processing – the data subject‘s consent (Article 6(1)(a) of GDPR) and the necessity to pursue lawful interests of the Company to improve its operations and business performance (Article 6(1)(f) of GDPR).

3.2.7. For other purposes when the Company has the right to process personal data on a data subject on the basis of their consent, or the data are processed in the legitimate interest of the Company, or where the Company is obligated to process the data under the law.

4. Use of Social Networks

4.1. Any information provided by means of social media (including messages, use of Like and Follow, etc.) is controlled by the manager of the relevant social network.

4.2. The Company has a Facebook social network account. Privacy policy of this social network can be found at https://www.facebook.com/privacy/explanation;

4.3. The Company has an Instagram Facebook social network account. Privacy policy of this social network can be found at https://help.instagram.com/519522125107875;

4.4. The Company has a LinkedIn social network account. Privacy policy of this social network can be found at https://www.linkedin.com/legal/privacy-policy.

4.5. We recommend that you should read privacy notices published by third parties and contact service providers directly if you have any questions as to the use of your personal data.

5. Newsletters

5.1. The Company uses services of third parties – MailChimp and MailerLite for the sending of newsletters. MailChimp and MailerLite use only email addresses of the newsletter recipients. Privacy policies of MailChimp and MailerLite can be found at the following addresses:

• MailChimp’s privacy policy:  https://mailchimp.com/legal/privacy/;
• MailerLite’s privacy policy: https://www.mailerlite.com/legal/privacy-policy.

5.2. A newsletter recipient may unsubscribe by clicking on Unsubscribe at the bottom of an email, by replying to the email, or by informing the Company by email that the recipient does not wish to continue receiving newsletters.

6. Provision of Personal Data

6.1. The Company undertakes to maintain confidentiality of the data subjects‘ personal data. Personal data may only be disclosed to third parties if this is required for the purposes of concluding and performing a contract for the benefit of the data subject, or for other legitimate reasons.

6.2. The Company may provide the personal data to data processors that provide services to the Company and process the personal data on the Company‘s behalf. The data processors must process the personal data only according to the Company‘s instructions and only to the extent that is necessary for the proper performance of contractual obligations. The Company hires only such data processors that provide reasonable assurance that appropriate technical and organisational measures will be implemented in a way ensuring compliance with the GDPR and protection of the data subject‘s rights.

6.3. The Company may also provide personal data in response to requests from judicial authorities or other authorities to the extent that is necessary for the proper implementation of legal acts and compliance with the authorities’ instructions.

6.4. The Company guarantees that the personal data will not be sold or rented out to third parties.

7. Processing of Data on Minors

7.1. A person may provide their personal data through the Website provided that he/she has reached 16 years of age. If a person is under 16, he/she must provide a written consent to personal data processing issued by his/her representative (a parent or a guardian) prior to using the Company‘s services.

8. Term of Personal Data Storage

8.1. Data collected by the Company are stored in hardcopy format and/or in the Company‘s information systems. The personal data are processed no longer than required for achieving the data processing purposes or no longer than required by the data subject and/or provided for by the law.

8.2. While the data subject may terminate the contract and refuse from the Company‘s services, the Company will continue storing the data subject‘s personal data until the end of the storage term, due to the possibility of future requirements or claims.

9. Rights of the Data Subject

9.1. Right to receive information about data processing.

9.2. Right of access to the personal data being processed.

9.3. Right to request rectification of the data.

9.4. Right to erasure (‘right to be forgotten’). This right does not apply if the personal data that the data subject requests to be erased are being processed also on another legal ground such as the processing necessary for the performance of a contract or compliance with a legal obligation.

9.5. Right to restrict the data processing.

9.6. Right to object to the data processing.

9.7. Right to data portability. The right to data portability may not produce a negative impact on rights and freedoms of others. The data subject does not have the right to portability in respect of the personal data that are processed by non-automated means in systematised file systems, e. g. hardcopy files.

9.8. Right not to be subject to decisions based solely on automated processing including profiling.

9.9. Right to file a complaint concerning data processing to the State Data Protection Inspectorate.

12.1. The data subject has the obligation to:

12.1.1. inform the Company about any changes in the information/data provided. It is important for the Company to have correct and valid data on the data subject;

12.1.2. Provide requested information so that the Company, having received the data subject‘s application, can identify them and satisfy itself that it is communication/cooperating with the specific data subject (provide a personal ID document or identify themselves according to a procedure prescribed by the law or by electronic means that would enable proper identification of the data subject). This is required to protect the data subject and other persons so that relevant data are disclosed to the data subject only, without violating other persons‘ rights.

13. Final Provisions