The conditions determined by the Policy shall apply each time the person visits the Hotel facility or the Website, regardless of what kind of device (computer, mobile phone, tablet, TV, etc.) is used.
The Data Subject consents and does not object that the Data Controller controls and processes his personal data (including data, which is directly or indirectly provided when visiting the Website and using Hotel services) for the purposes and in accordance with the procedures indicated in this Policy and the legal acts.
Personal data are any information relating to an identified or identifiable natural person such as: name and surname; ID code, a home address, an email address, location data, an Internet Protocol address; one or more characteristics of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Data Controller, Hotel – JSC Mega Invest, Hotel Amsterdam Plaza, company code 302508566, address Vytauto str. 79, LT-00134 Palanga, tel. 8 60 110 130, email@example.com.
Data Subject – a person who uses / is interested in the Hotel services, visits the Website, a candidate applying to the available job position published by the Data Controller, a person participating in the Hotel contests, as well as any other person whose personal data are processed by the Data Controller.
Participant – a person participating or intending to participate in games, campaigns and/or contests organised by the Data Controller.
Applicant – a person interested in the services provided by the Data Controller or willing to contact the Data Controller regarding any other matter.
Client – a person who purchased goods, services from the Data Controller or concluded a contract with the Data Controller regarding purchase of goods and/or provision of services.
Candidate – a person participating or intending to participate in recruitment, carried out by the Data Controller.
Data Processor – entities that process personal data managed by the Data Controller in accordance with the Data Controller’s instructions and concluded service provision agreements.
Minors – children under the age of 18. Minors may not provide any personal data without the consent of their parents or legal guardians. If the parents / guardians find out that the minor is providing personal data without their permission, all related data will be deleted after contacting the Data Controller by e-mail firstname.lastname@example.org.
Regulation – 2016 April 27 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
3.The Data Controller shall ensure that the following fundamental principles are followed in adopting and implementing this Policy:
- Personal data of the Data Subject are processed in accordance with the principles of legitimacy, fairness, and transparency.
- Personal data are collected for specified, clearly defined and legitimate purposes.
- Personal data are adequate and complies with the purposes of its processing – the principle of data minimization is applied.
- Personal data are accurate and rectified, updated or deleted within a reasonable time (principle of accuracy).
- Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.
- The further processing of personal data for archival purposes in the public interest or for statistical purposes is not considered incompatible with the original purposes (the principle of data retention).
- Personal data may be stored for longer periods if the personal data will be processed only for archival purposes, the public interest, or statistics, upon conducting appropriate technical and organizational measures to protect the rights of the Data Subject (the principle of limitation of storage life).
- Personal data shall be processed to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, against unintentional loss, destruction, or damage (principle of integrity and confidentiality).
- The Data Controller is responsible for ensuring that the above principles are complied with and must be able to prove it (accountability principle).
4.SOURCES OF INFORMATION ABOUT DATA SUBJECT
- Information provided directly by the Data Subject.
- Information obtained from the use of Website.
When the Data Subject visits the Website, information is collected that reveals the peculiarities of the use of the services provided by the Data Controller. Or the visit statistics are automatically generated. More information about this is available in the chapter “Using Cookies”.
- Information where personal data have been obtained from the third-party sources.
The Date Controller may obtain information about Data Subjects from public and commercial sources (to the extent permitted by applicable law) and link it to other information obtained from or about the Data Subject. Information about the Data Subject can also be obtained from the third parties, social networks, social network accounts.
- Other information collected.
The Data Controller may also collect other information about the Data Subject, his/her device, or the use of the content of the Website having the Data Subject’s consent.
The Data Subject may choose not to provide certain information, but in this case the service offered by the Data Controller may not be allowed.
5.PURPOSES OF PERSONAL DATA PROCESSING
5.1. PROCESSING OF PERSONAL DATA FOR OFFERS, CONSULTATIONS, REQUESTS
The Data Controller shall process the following personal data of the Data Subject (including callers) to answer the inquiries, provide information and / or other matters:
• name, surname
• telephone number
• e-mail address
If the Data Subject is contacted by a representative of the Data Subject, the Data Controller shall process the following data of the representative:
• name, surname
• relationship with the Data Subject
• telephone number
• e-mail address.
Applicants’ data are not transferred to any third parties.
5.2. PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF ACCOMMODATION, PROVISION OF SERVICES, ACCOUNTING, DEBT MANAGEMENT
5.2.1. The Data Subject gives the consent to the Data Controller processing the following personal data to reserve the Data Controller‘s services:
• name, surname
• date of birth
• ID code
• data of identity document
• phone number
• e-mail address
• workplace data
• information of applicable loyalty program
• type of payment, credit card details (number and validity date) if case of payment by credit card
• amount to be paid
• number of nights booked
• car registration number
• place of accommodation
• other information related to the product or service ordered.
The information specified in Clause 5.2.1 is necessary for the Data Controller to be able to identify the Data Subject, to contact him/her, to get payment for the provided services or goods sold.
5.2.2. By submitting the personal data, Data Subject confirms that they are accurate. Data Subject updates the personal data in case it changes.
5.2.3. Personal data received by the Data Controller for the purpose of data management / accounting is stored for 10 (ten) years from the date of booking. Data required for debt management is stored until debt collection, but no longer than 10 (ten) years. When personal data become obsolete for the purposes of their processing or the retention period expires, they shall be securely deleted / destroyed, except for those that must be retained in cases and within the time limits imposed by law.
5.2.4. The Data Controller provides the Statistics Lithuania with the following Data Subjects’ data: number of guests, country of origin, purpose of arrival, number of overnight stays.
5.2.5. The Data Controller undertakes not to transfer personal data to any other unrelated third parties, except of the following cases:
• if there is the Data Subject’s consent to the disclosure of personal data
• to the partners of the Data Controller to fulfil the services ordered by the Data Subject. In such cases, service providers shall be provided just with the personal data of the Data Subject, which are necessary to provide a certain service
• pursuing the legitimate interests of the Data Controller (e.g. in case of debt recovery)
• to authorized institutions, in accordance with the procedures stipulated by the legal acts of the Republic of Lithuania.
5.3. PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF DIRECT MARKETING
5.3.2. The Data Controller shall process personal data for the purpose of direct marketing only with the consent of the Data Subject. The following personal data of Data Subjects are processed for the purpose of direct marketing:
• name, surname
• data about participation in a loyalty program
• telephone number
• e-mail address.
5.3.3. The Data Controller may collect statistics on the Data Subject’s behaviour in relation to the use of content of the newsletter (e.g. whether the newsletter has been read, what links have been opened, etc.).
5.3.4. Data Subject‘s e-mail address can be used to present advertisements on social networks, Google and other advertising platforms, customizing the advertisement to the target audience.
5.3.5. The personal data provided by the Data Subject may be profiled for direct marketing purposes to offer tailor-made proposals for the Data Subject. The Data Subject may at any time withdraw the permission to process the personal data by an automated, profiled processing method (if such a meth-od would be used).
5.3.6. The Data Controller may transfer personal data to the third parties providing specialized ser-vices such as sending e-mails, forwarding/transmitting advertisement on special advertising platforms.
5.3.7. The personal data of Data Subjects are processed based on the consent expressed by submit-ting their personal data and allowing to process it for the purpose of direct marketing (Article 6 (1) (a) of the Regulation).
5.3.8. The Data Subject shall have the right to object or at any time withdraw the consent to the processing of the personal data for direct marketing purposes, including profiling, without providing any reasons:
– by clicking on the “unsubscribe from the newsletter”
– by contacting the Data Controller by e-mail email@example.com or by calling +370 60 110 130.
5.3.9. Withdrawal of consent shall not affect the lawfulness of the data processing carried out prior to the withdrawal of consent.
5.3.10. Upon receipt of the Data Subject’s request to delete personal data, the Data Controller shall, not later than within 2 working days, suspend the processing of personal data for the purposes of di-rect marketing and destroy / delete it.
5.3.11. Personal data is processed until the Data Subject revokes the given consent to process per-sonal data, or 5 (five) years from the date of receipt of the consent to process it. The Data Controller may contact the Data Subject for re-consent after 5 (five) years period.
5.3.12. The exception concerning the Data Subject’s prior consent to the use of his personal data for marketing purposes applies in case the offers are sent to the Data Subject / Client by e-mail addresses received from them, for marketing of similar goods and services and the Data Subject / Client did not initially object to such use of the data. The Data Subject / Client shall be given a clear, easily enforceable opportunity to object or refuse such use of the data (e.g. by clicking on the link provided or using the e-mail address to send the refusal message, etc.).
5.4. PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF PERSONNEL & CUSTOMER SECURITY, PROPERTY PROTECTION, PREVENTION OF VIOLATIONS, IDENTIFICATION OF VIOLENTS (VIDEO SURVEILLANCE)
5.4.1. All persons entering the territory of the Data Controller are monitored by video cameras (inside and outside of the Hotel, restaurant, outdoor terrace, parking area). Video cameras record person’s and vehicle video data, date and time of video recording, location.
5.4.2.Video surveillance is conducted for the purposes of persons’ and property protection, prevention, and clarification of violations of the law, identification of violators. Video surveillance in the premises / areas intended for the private use (i.e. in bathrooms, showers, changing rooms, etc.) as well as in the Hotel rooms is not carried out.
5.4.3. The video data are managed and processed by the Data Processor with whom the Data Controller has entered into an agreement.
5.4.4. Video surveillance data are stored for 2 (two) weeks. It is automatically deleted after what.
5.4.5. Video data may be transmitted to the state law-enforcement authorities in accordance with the procedures provided in the legal acts of the Republic of Lithuania.
5.4.6. Video surveillance data can be provided to insurance companies in the case of an insured event.
5.4.7. The video surveillance in a particular area is marked by visible information signs.
5.4.8. Personal data for the purpose of video surveillance are processed on the legitimate interest of the Data Controller (Article 6 (1) (f) of the Regulation).
5.5. PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF ORGANIZATION OF CONTESTS, PROMOTIONS, GAMES
5.5.1. The Data Controller may process personal data for the purposes of organisation of contests or promotions only with the consent of the Data Subject. The Data Controller may collect the following personal data of the Participants:
5.5.2. Data are obtained directly from Data Subjects participating in games, promotions and / or competitions. The data are not transferred to any third parties but may be published on the Data Controller’s Website and / or it’s social network accounts. The Data Controller may publish the Participant’s name, surname, and photo.
5.5.3. Personal data are processed based on consent expressed in the submission of the Participant’s personal data (Article 6 (1) (a) (p) of the Regulation).
5.6. PROCESSING OF PERSONAL DATA FOR THE PERSONNEL RECRUITMENT
5.6.1. For the purposes of staff recruitment, the Data Controller shall process the personal data provided by the Candidate to the extent that the personal data have been provided.
5.6.2. Personal data are obtained directly from Candidates and / or from third parties, websites. The data are not passed on to third parties.
5.6.3.Data of the Candidates shall be processed based on consent given when providing their data and to take steps upon the Candidate’s conduct and/or request prior to signing a contract (Art. 6 (1) (a) and (b) of the General Data Protection Regulation.
5.7. PROCESSING OF PERSONAL DATA FOR OTHER PURPOSES
The Data Controller may also process the personal data of the Data Subject for other purposes if the consent of the Data Subject has been obtained or if the processing of personal data is based on other criteria for lawful processing specified by law.
6.1. Personal data are protected against loss, misuse, and alteration through organizational and technical measures. The Data Controller shall take appropriate measures to protect the information. However no website, online operation, computer system or wireless connection is absolutely secure.
6.2. The Data Controller applies different terms of storage of personal data in accordance with the requirements of legal acts and considering the purposes of personal data processing.
6.3. Retention of personal data for longer than specified in the Policy may be carried out in case of:
• There are reasonable suspicions of an illegal activity being investigated.
• Personal data are necessary for proper resolution of a dispute or complaint.
• Backups and other purposes related to the operation / maintenance of information systems.
• When personal data are used as evidence in civil, administrative, or criminal trials.
• In other special cases, conditions required by law.
6.4. Upon expiration of the established time limits (in case they have not been extended) or when the reasons for storage provided for in Section 6.3 cease to exist, the personal data shall be destroyed in a way that it cannot be reproduced.
Terms of personal data storage:
Purpose of processing personal data / Retention period
Customers’ personal data – for the purpose of providing services – 10 years from the date of using the Hotel services
Processing of Candidates’ personal data for re-cruitment purposes – 4 months after the Candidate is hired. Longer storage of the Candidate’s Curriculum Vitae and other data requires the Candidate’s consent. Data of other not hired Candidates shall be destroyed within 4 months of receipt.
Processing of Data Subjects’ personal data for video surveillance purposes – 2 weeks.
Processing of Data Subjects’ personal data for the purposes of organizing games, promotions, and contests – 1 year from the date of the event.
Processing of Data Subjects‘ personal data of for the purpose of direct marketing – 5 years from the date of receipt of the consent un-less the Data Subject wants to extend this period.
7.1. The Data Subject whose data are processed in the activities of the Data Controller has the following rights:
7.1.1. Know (be informed) about the processing of personal data (right to know).
7.1.2. Get acquainted with the data and the way it is processed (right of access). To do so, the person must provide the Data Controller with an identity document or apply by electronic means for the proper identification of the person. The Data Subject’s personal data shall be provided to the Data Subject free of charge once a calendar year. The Data Subject will be charged a certain fee for the provision of personal data for the second time or more times a year (for example, for receiving a CD, DVD or other medium containing a video, preparation of documents, etc.).
7.1.3. Request to rectify or, depending on the purposes of the processing of personal data, to supplement incomplete personal data (right to rectify).
7.1.4. Request the destruction or suspension of the processing of his personal data (excluding storage) (right to destroy and right to be forgotten); this provision shall not apply if data retention is required by law.
7.1.5. Require from the Data Controller to restrict the processing of personal data for any legitimate reasons (right to restrict).
7.1.6. Submit a complaint to the State Data Protection Inspectorate of the Republic of Lithuania or the Data Controller by e-mail address firstname.lastname@example.org.
7.1.7. Revoke any consent given to the processing of the personal data (in case the personal data are processed based on consent).
7.1.8. Do not consent to the processing of the personal data for the purpose of direct marketing. The Data Subject may submit a written request to the Data Controller by e-mail to email@example.com to stop processing the personal data for the purpose of direct marketing without stating any reasons.
7.1.9. Submit any written request related to the processing of personal data to the Data Controller in one of the following ways: handle directly, send by post to Vytauto str. 79, Palanga LT-00134, Lithuania or e-mail firstname.lastname@example.org. The Data Controller shall respond no later than one month from the date of receipt of such request and take the action specified in the request or refuse to take it. That period may be extended by two further months where necessary, considering the complexity and number of the requests. The Data Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
7.2. The Data Controller may not provide the Data Subjects the above-mentioned rights (except of the request to stop processing the personal data for the purpose of direct marketing) in case there are lawful requirements to guarantee the prevention, investigation, and detection of crimes / breaches of business or professional ethics / the protection of Data Subject’s, Data Controller’s or person’s rights and freedoms.
8.1. The Data Controller’s Website may contain third-party billboards, links to their websites and services the Data Controller has no control over it, e. g. links to Facebook or Instagram profile. The Data Controller is not responsible for the security and privacy of the information collected by the third parties. The Data Subject must read the privacy provisions applicable to the third-party websites and services used.
8.2. If the Data Subject has provided the personal data via Facebook or Instagram, the Data Controller understands that the Data Subject accepts that his/her contact details will be used to contact him/her to submit the offer for the services or goods.
9.1. The purpose of the Data Controller’s Website is to provide content and features that are tailored for the needs of the user. This requires cookies – small elements of information that are automat-ically generated while browsing the website and stored on the browser’s computer. They help the Data Controller to identify the user as a previous visitor to the Website, save the history of the website browsing and adapt the content accordingly. Cookies also help to ensure the smooth operation of websites, allow to monitor the duration and frequency of visits to websites and collect statistical in-formation about the number of website visitors.
9.2. How to manage and delete cookies. A browser can be configured to accept all cookies, reject all cookies, or notify when a cookie is downloaded. Each browser is different. Instructions about the cookie settings / amendment can be found in the browser’s help menu. The operating system of a certain device may have additional cookie controls. If the visitor of the website does not want information to be collected using cookies, he/she can use the opt out option available in most browsers. To learn more about managing cookies, visit http://www.allaboutcookies.org/manage-cookies/. Please note that in some cases, deleting the cookies may slow down an internet browsing experience, restrict the use of certain features of the website or block access to the website.
9.3.The Data Controller uses various types of cookies and other technologies with specific functions:
• Navigation cookies
These cookies are fundamental to enable to move within the site and use its functions. Without these cookies, it might not be possible to access these functions, or they might not function properly.
• Functional cookies
Cookies are usually triggered by an action by the user and stored on the user device. These cookies enable the website to remember the user’s choices and offer personalized features to the user. The information gathered by these cookies is anonymous and cannot track user behaviour on other websites. Functional cookies are not required on the website but improve the quality of navigation and the user experience.
• Analytical cookies
Analytical cookies are used to determine usage of a website, they may track an individual user, but only to the extent to allow a user’s journey through the website. The results obtained are used anonymously and for statistical purposes only. The website uses the services of certain third parties that independently implement their own cookies.
• Targeted or promotional cookies
These cookies are used to display services that may be of interest to the user or to offer similar ones that user has recently viewed on the website.
10.1. The law of the Republic of Lithuania shall apply to legal relations related to this Policy.
10.2. The Data Controller shall not be liable for damages, including damages caused by disruption of the use of the Website, for loss or damage of data resulting from the actions of the person or third parties acting on the person’s consent, errors, intentional harm, or other misuse of the Website.
10.4. If the Data Subject continues to use the Website and / or the services provided by the Data Controller after the addition or change of the Policy, it is considered that the Data Subject does not object to such additions and / or changes.
10.5. For any questions related to the personal data processing, please contact us by e-mail email@example.com.