PRIVACY NOTICE
UAB ‘Baltijos lokacijų paslaugos’ process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as the GDPR), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, and other applicable data protection legislation.
In the Privacy Notice below, you will find information about what personal data UAB ‘Baltijos lokacijų paslaugos’, as the data controller, collects and processes, how it is used, how long it is retained, as well as what rights you have and how you can exercise them.
This information is important, and we hope you will read it carefully.
PRIVACY STATEMENT CONCERNING THE PROCESSING OF PERSONAL DATA
This Privacy Statement is intended for individuals, business entities or their representatives with whom UAB “Baltijos lokacijų paslaugos” (the Company) enters into agreements for the rental of prop items, facility vehicles and short-term vehicle rentals.
| Data controller UAB “Baltijos lokacijų paslaugos” Entity number: 303388034 Address: Gedimino pr. 21-101, Vilnius Phone +370 666 72 065 E-mail rentals@blp.lt | Data protection officer Rusnė Juozapaitienė Phone +370 698 34316 E-mail rusne@duomenuapsauga.eu |
The Company processes personal data in accordance with the GDPR[1], the Law of the Republic of Lithuania on Legal Protection of Personal Data and other applicable legal acts.
The information about the purposes of the personal data processing, the categories of data subjects and personal data, the legal bases for the processing of personal data, also the time limits for storing personal data and the recipients of personal data is provided below.
Sources of Personal Data
The Company obtains your data directly from you, the business entities you represent, third parties, and your employers. If you do not provide the necessary personal data or object to its processing, the Company will be unable to enter into a contract and ensure your legal guarantees.
PROCESSING OF PERSONAL DATA OF BUSINESS REPRESENTATIVES AND EMPLOYEES
What we process: personal data of business representatives and employees for the purpose of service contract conclusion, authorization, and payment administration. The following personal data is processed (including, but not limited to): name, surname, job title, phone number, email address, signature, and individual activity certificate or business license number.
Legal basis: Article 6(1)(b) of the GDPR – performance of a contract. Article 6(1)(f) of the GDPR – legitimate interests in ensuring contract conclusion and execution.
Personal data storage period: 10 years after the contract termination.
Recipients of personal data (including, but not limited to): Contractors/suppliers, the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, legal service providers, payment service providers, auditors, insurance companies, and financial service companies.
COMPLIANCE WITH OCCUPATIONAL SAFETY REQUIREMENTS, AND INVESTIGATION OF INCIDENTS
What we process: personal data of Company’s employees and client representatives to ensure compliance with occupational safety requirements and investigate incidents. The following personal data is processed (including, but not limited to): name, surname, position (job title), contact details, signature (in case of safety instructions), injury and health information.
Legal basis: Article (6)(1)(c) of the GDPR – a legal obligation; Article (9)(2)(b) of the GDPR – a legal obligation in the field of employment and social security and social protection law.
Personal data storage period: based on the Index of Retention Periods for General Documents.
Recipients of personal data (including, but not limited to): health care institutions, insurance companies, legal service providers, auditors, State-owned companies (in the event of a serious incident).
ORGANIZATION OF BUSINESS TRIPS
What we process: personal data of the persons going on business trips for the purpose of organizing business trips. The following personal data is processed (including but not limited to): name, surname, position (job title), personal ID number, e-mail, phone number, ID document information.
Legal basis: Article (6)(1)(f) of the GDPR – legitimate interests in organizing business trips.
Personal data storage period: 10 years.
Recipients of personal data (including, but not limited to): hotels, airlines, tour operators, embassies, financial services company, payment service providers, insurance companies.
VIDEO SURVEILLANCE
What we process: personal data of individuals captured within the surveillance camera field, including video recordings, images, and the date and time of recording.
Legal basis: Article 6(1)(f) of the GDPR – legitimate interests in ensuring the protection of individuals and property.
Personal data storage period: Video surveillance recordings are stored for 14 days unless there is an objective reason to retain them longer, such as an ongoing incident investigation or a request from law enforcement authorities. After this period, recordings are automatically and irreversibly deleted, except when required for legal or administrative proceedings.
Recipients of personal data (including but not limited to): law enforcement authorities and government agencies.
VEHICLE PROTECTION
What we process: personal data of clients using the Company’s vehicles, including but not limited to: name, surname, phone number, vehicle license plate number, route, and data collected through GPS tracking.
Legal basis: Article 6(1)(f) of the GDPR – legitimate interests in ensuring vehicle security.
Personal data storage period: 10 years (route sheets).
Recipients of personal data: State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, financial accounting companies, auditors, rental and insurance companies.
VERIFICATION OF RENTAL VEHICLE DRIVER’S IDENTITY, DRIVERS LICENSE AND MINIMUM DRIVING EXPERIENCE
What we process: personal data of client representatives using the Company’s vehicles, including name, surname, date of birth, driver’s license issuance date, driver’s license validity period, driver’s license number, personal identification number, acquired driving license categories, and the acquisition dates of these categories.
Legal basis: Article 6(1)(f) of the GDPR – legitimate interests in ensuring the protection of individuals and property.
Personal data storage period: until the fulfillment of legal obligations arising from the contract.
Recipients of personal data: State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, financial accounting companies, auditors, insurance companies.
ACCESS CONTROL AND ALARM SYSTEM
What we process: access (entry), alarm codes and / or the name, surname and phone number of persons with access permits.
Legal basis: Article (6)(1)(f) of the GDPR – legitimate interests in ensuring the safety of property and persons.
Personal data storage period: until the fulfillment of legal obligations arising from the contract.
Recipients of personal data (including, but not limited to): the security services company.
FINANCIAL ACCOUNTING
What we process: personal data of business representatives and employees for the purpose of handling financial accounting. The following personal data is processed (including, but not limited to): name, surname, address, bank account number, e-mail address, the number of the individual activity certificate or business certificate (of independent contractors) and taxpayer identification number, signature of their representatives.
Legal basis: Article (6)(1)(c) of the GDPR – a legal obligation (Article 7 of the Law of the Republic of Lithuania on Financial Accounting), and Article (6)(1)(f) of the GDPR – legitimate interests in handling the financial accounting.
Personal data storage period: 10 years.
Recipients of personal data (including but not limited to): VMI (State Tax Inspectorate), financial accounting firm, payment service providers, auditors.
EXAMINATION OF REQUESTS, COMPLAINTS, NOTIFICATIONS OF INDIVIDUALS
What we process: name, surname, position (job title), contact details, work functions and signature of the persons submitting requests, complaints or notifications, their addressees and drafters of documents, also the content of documents.
Legal basis: (6)(1)(c) of the GDPR – a legal obligation.
Personal data storage period: 1 year after the resolution.
Recipients of personal data (including, but not limited to): addressees, legal service providers, auditors.
ENSURING PREVENTION OF VIOLENCE AND HARASSMENT, INVESTIGATING REPORTS OF VIOLATIONS
What we process: personal data for the purpose of preventing violence and harassment, investigating reports of violations. The following personal data is processed: the name, surname, position (job title), contact information of the persons reporting an incident, potential victims, persons against whom a complaint is made and / or suspected persons, witnesses and persons who carried out the investigation, details of the incident, information related to the violation and findings of the investigation.
Legal basis: (6)(1)(c) of the GDPR – a legal obligation.
Personal data storage period: 1 year after the resolution.
Recipients of personal data (including but not limited to): law enforcement authorities and government agencies.
ADMINISTRATION OF ONLINE MEETINGS
What we process: the online meeting participants’ names, surnames, e-mail addresses, IP addresses, device information, the start and end times of online meetings, also the video, audio and presentation recordings in the case of recording.
Legal basis: Article (6)(1)(f) of the GDPR – legitimate interests in organising online meetings; if the online meeting is filmed, then Article (6)(1)(a) of the GDPR (consent) applies.
Personal data storage period: based on the settings of the online meeting platform.
Recipients of personal data: IT maintenance service company, online meeting platforms, other participants in online meetings.
PROVIDING WIRELESS INTERNET (Wi-Fi) ACCESS
What we process: the Wi-Fi users’ data to provide wireless Internet (Wi-Fi) access. The following personal data is processed: the login time, IP address, device MAC address, the type of device used, volume of data traffic, network services used (e.g., DNS queries, websites visited).
Legal basis: Article (6)(1)(f) of the GDPR – legitimate interests in enabling access to the Internet.
Personal data storage period: until the fulfilment of legal claims arising from the contract.
Recipients of personal data: IT maintenance service company, IT service provider.
VISIBILITY PROMOTION (SOCIAL MEDIA ADMINISTRATION)
We, along with social media platforms, manage our accounts on social media. The information you provide on social media or that is obtained when you visit the Company’s accounts is controlled by the social media operators. Therefore, we recommend that you should read the privacy statements of the social media operators. The following personal data is processed: the profile data of visitors of the social media, Like, Follow clicks, comments, sharing.
Legal basis: Article (6)(1)(f) of the GDPR – legitimate interests of the data controller to increase the Company’s visibility.
Personal data storage period: based on the policy established by the social media platform.
Recipients of personal data: social media operators with whom the Company acts as joint data controllers.
PERSONAL DATA RECIPIENTS AND PROCESSORS
We may transfer your personal data to the data recipients indicated above in connection with specific purposes, taking into account the basis of the data provision and ensuring security of the data transferred. In addition, we may transfer your data to the following recipients: law enforcement authorities; legal service providers; third parties (including, but not limited to): the Company’s production partners, entities / persons financing the film production, other professional consultants, accountants, payment service providers, legal and regulatory authorities, service providers (including, but not limited to insurance service providers, IT service providers, cloud storage providers and business travel service providers), broadcasters, distributors, agencies, advertisers and other persons associated with your obligations under your contract.
Any data processing takes place in line with the instructions of the Company and the data processing agreement or legal acts, providing only the necessary access.
DATA TRANSFERS OUTSIDE THE EU / EEA
As a rule, we process and store personal data of data subjects in the territory of the European Union (EU) or the European Economic Area (EEA).
Your personal data may be transferred, stored and processed outside the EEA, where data protection rules may not provide the same protection as applicable in the EEA. The Company will transfer your personal data outside the EEA in accordance with the requirements of Chapter V of the GDPR: if (i) such a transfer takes place in a country or jurisdiction that has been approved by the European Commission as having an adequate level of protection; (ii) appropriate safeguards are applied in accordance with data protection legislation, (iii) there is an applicable exception (for example, we have your explicit consent or the transfer is necessary for the Company to perform its obligations under your contract, or the transfer is necessary for the Company to be able to perform its obligations under a contract to which you are not a party, but which is beneficial to you (e.g., to provide your personal data to a film broadcaster, the entity / person financing the film production, and / or a distributor).
Profiling and automated decision-making
The Company does not carry out profiling and automated decision-making that would entail significant consequences for you or would have a significant impact on you.
RIGHTS THAT YOU HAVE AS A DATA SUBJECT
As a data subject, you have the following rights: to know (be informed) about the processing of your personal data (Articles 12-14 of the GDPR); to access the processed personal data concerning you (Article 15 of the GDPR); to request rectification of inaccurate personal data concerning you (Article 16 of the GDPR); to request the erasure of personal data concerning you (“right to be forgotten”) (Article 17 of the GDPR); to restrict data processing (Article 18 of the GDPR); to transfer personal data (“right to data portability”) (Article 20 of the GDPR); to object to the processing of personal data (Article 21 of the GDPR); to withdraw the given consents (Article 7(3) of the GDPR); to lodge a complaint to the State Data Protection Inspectorate or the competent court (Article 12(4) of the GDPR).
If you are concerned about the Company’s actions / omissions which, in your opinion, may lead to potential non-compliance with the requirements of this Privacy Statement or legal acts, you may contact the Company using the contact details indicated in this Privacy Statement.
[1] The GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
