defines the commitments and responsibility of the Company in order to protect and respect the privacy of individuals;
Explains how the Company collects, uses and stores personal data;
the data subjects are informed about how their personal data is being processed and what rights each data subject has.
When we process personal data of data subjects, we comply with the General Data Protection Regulation of the European Parliament and the Council, the Law on Legal Protection of Personal Data of the Republic of Lithuania, the Law on the Electronic Communications of the Republic of Lithuania and other directly applicable legal acts regulating the protection of personal data, as well as instructions from the competent authorities.
1.1. Definition of key terms used in the Policy:
1.1.1. data subjectmeans a natural person whose data is managed by the Company;
1.1.2. personal datashall mean any information relating to a natural person, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to individual's physical, physiological, mental, economic, cultural or social identity.
1.1.3. personal data processing shall mean any operation, which is performed with personal data such as: collection, recording, accumulation, storage, classification, grouping, combining, alteration (supplementing or rectifying), disclosure, making available, use, logical and/or arithmetic operations, retrieval, dissemination, destruction or any other operation or a set of operations;
1.1.4. data subject's consent means any express, free and unequivocal expression of consent of the duly notified data subject in a statement or in unambiguous manner in which he accepts the processing of personal data relating to him, such as a written, including, given by electronic means, or an oral statement. Tacit behaviour, pre-marked boxes or omissions are not considered to be consent;
1.1.5. data controller shall mean a legal or a natural person which alone or jointly with others determines the purposes and means of processing personal data. In this Policy the Company is considered to be the Data Controller;
1.1.6. data processor shall mean a legal or a natural person other than an employee of the data controller, processing personal data on behalf of the data controller.
1.1.7. employee is a person who has a contract of employment or a contract of similar nature with the Company;
1.1.8. supervisory authority – the State Data Protection Inspectorate;
1.1.9. direct marketing shall mean an activity intended for offering goods or services to individuals by post, telephone or any other direct means and/or for obtaining their opinion about the offered goods or services.
1.1.10. Company's website –www.vinicart.com
1.1.11. General Regulation on the Protection of Personal Data – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the Protection of Personal Data).
1.1.12. client is a natural person who is 16 years old or older, who has registered on the Company's website and uses or intends to use the services of the Company and for this purpose has submitted his/her personal data to the Company;
1.1.13. other terms used in the Rules meet the definitions provided for in the General Data Protection Regulation and the Law on the Legal Protection of Personal Data of the Republic of Lithuania.
1.2. The purpose of this Policy is to facilitate the exercise of the data subjects' rights.
1.3. This Policy also applies to the protection of personal data of other data subjects (i.e. not clients and not employees) whose personal data is managed by the Company or will be managed in the future.
1.4. Personal data processed by the Company shall be accurate, adequate and not excessive in relation to the purposes for which they are collected and further processed; Where personal data is processed, personal data is constantly updated.
1.5. To create an account on the Company's website, persons who are 16 years of age or older are entitled to submit their personal data for processing through the Company's website.
1.6. Customers’ personal data is collected:
1.6.1. For the provision of the Company's services (order processing, administration), customer identification in the Company's information system, customer identification by logging in to their account on the Company's website, for issuing invoices and other financial documents;
1.6.2. video monitoring data for the purpose of protecting property and preventing robbery.
1.6.3. subject to the consent of the data subject, for direct marketing purposes.
1.7. The Company manages the following personal data for the purposes specified in clause 1.6.1. of the Policy: individual’s full name, postal address, telephone number, email address, billing information, bank account number, voice recordings, consignee’s name, surname, postal address and telephone number.
1.8. The Company manages video monitoring data for the purposes specified in the clause 1.6.2.
1.9. The Company manages the following personal data for the purposes specified in clause 1.6.3. of the Policy: full name, email address, telephone number, postal address.
1.10. The legal basis for the processing of personal data referred to in clause 1.6.1. is the Company's obligation to execute a contract concluded with the data subject and/or at the request of the data subject (order) to engage and actions in order to conclude an agreement.
1.11. The basis of the data processing referred to in clause 1.6.2. is the legal interest of data controller and data subject.
1.12. The legal basis for processing the data referred to in clause 1.6.3. is the provision of the consent of the data subject.
1.13. When personal data is processed for direct marketing purposes, the data subject has the right at any time to oppose such personal data at no cost by withdrawing his/her consent.
2.1. Only the employees have a right to manage personal data of the clients within the Company, including their transfer to the third parties provided for in clause 2.2. of the Policy. Each employee is required to protect the confidentiality of personal data of a client and to comply with personal data protection legal acts and the requirements of these Rules.
2.2. In the course of the conclusion of the agreement on the provision of the Company's services, personal data of the client may be transferred only to the Company's partners acting on behalf of the Company as data processors who provide parcel delivery services and other services related to the execution of the service contract (personal data shall be disclosed only to the extent necessary for the provision of the relevant services). Clients personal data may be provided only to data processors with whom the Company has signed agreements containing provisions on the transfer/delivery of personal data and if the data processor ensures the protection of personal data which is required by the General Data Protection Regulation. In all other cases, personal data of clients may be disclosed to third parties only in the cases and according to the procedure established by legal acts of the Republic of Lithuania.
2.3. The Company must comply with the principle of confidentiality and keep confidential any information related with personal data, to which they were given access in the course of their duties, unless such information is publicly available in accordance with applicable laws or regulations.
2.4. Term of personal data processing: personal data is processed until it becomes redundant for the purpose of processing it:
2.4.1. The personal data of clients are collected and processed for the purposes of the provision of services of the Company (clause 1.6.1.) for a maximum of 10 years after the last order placed on the Company's website;
2.4.2. The video monitoring data purpose referred to in clause 1.6.2. is managed to the extent necessary for the protection of the property and prevention of robbery, but not longer than 3 months from the moment video has been recorded.
2.4.3. personal data of clients are processed for the purposes of direct marketing referred to in clause 1.6.3. and processed no more than until cancellation (withdrawal) of the consent to receive advertising.
2.5. When personal data are no longer needed for the purposes of their processing, they are destroyed, except in cases prescribed by law, where the data must be transferred to state archives.
2.6. Personal data protection is organized, provided and maintained by an employee authorized by the Company.
3.1. Rights of the data subject:
3.1.1. to know (be informed) about the processing of your personal data in the Company;
3.1.2. to have an access to your personal data and to be informed of how they are processed in the Company;
3.1.3. to object to the processing of their personal data;
3.1.4. request rectification, correction or addition of incorrect or incomplete personal data, except for storage, destruction of personal data or suspension of processing of his/her personal data;
3.1.5. request to delete the data (the right to be forgotten). This right is valid on one of the following grounds:
184.108.40.206. personal data are no longer needed to achieve the purposes for which the data were collected or otherwise processed;
220.127.116.11. the data subject withdraws the consent on which the processing was based and there is no other legal basis for processing the data;
18.104.22.168. personal data were processed illegally;
22.214.171.124. personal data must be erased in accordance with a legal obligation imposed by European Union or national law;
3.1.6. right to data transferability: the data subject has the right to receive personal data relating to him that he provided to the data controller in a systematic, commonly used and computer-readable format and has the right to transfer that data to another data controller and the data controller to whom the personal data has been provided must not create obstacles, when:
126.96.36.199. data processing is based on a consent or a contract;
188.8.131.52. data are processed by automated means.
3.2. The data subject has the right to submit a complaint to the supervisory authority regarding the allegedly unlawful processing of his or her personal data.
3.3. The data subject has the right to authorize a non-profit institution, organization or association which is properly established in accordance with the law of the Republic of Lithuania and the objectives established by its statutes correspond to the public interest which is in the domain of the protection of the rights and freedoms of the data subject as regards the protection of their personal data on his/her behalf to file a complaint and to exercise on his/her behalf certain rights under the General Data Protection Regulation
3.4. Procedure for the implementation of the data subject’s rights:
3.4.1. a person must submit a written request to the Company (in person, by post, through a representative, or by electronic means) in order to fulfil the rights specified in clause 3.1. The application must be legible, signed by the person, and must contain: the person's name, place of residence, data to maintain contact and information on which of the above rights and to what extent and purpose wishes it to be implemented;
3.4.2. when submitting an application, the person must confirm his/her identity:
184.108.40.206. if the application is submitted upon arrival directly to the Company – to provide a personal identification document or a copy certified by the legal acts of the Republic of Lithuania;
220.127.116.11. if the application is submitted by post – to provide a copy of a person's identity document approved in accordance with the procedure established by the Republic of Lithuania;
18.104.22.168. if the application is filed through a representative – submit a document confirming the representation;
22.214.171.124. if the application is submitted by electronic means – to sign by electronic signature;
3.4.3. the right of the data subject to refuse to process his/her personal data for direct marketing purposes is implemented by informing the data subject about his/her disagreement with the Company by e-mail and providing information about all client's accounts created on the Company's Internet site;
3.4.4. if the data subject has his or her account on the Company's website, to view and edit the personal information provided on the Company's website and may change his/her contact details by visiting the account. The data subject may exercise his/her right to object to the processing of his/her personal data for direct marketing purposes through its own account on the Company's website.
3.5. The requests specified in clause 3.4.1. of this Policy are handled by an authorized person of the Company. The application is examined and the response to the person is submitted not later than within 30 days from the date of receipt of the request.
3.6. When submitting requests under clause 3.4.1., the data subject should not manifestly abuse his/her rights. In the event that the data subject abuses his/her right (for example, he/she contacts the Company for information about the processing of his/her personal data more than once every six months), the Company has the right to demand from the data subject to compensate the administrative costs associated with the execution of such requests.
3.7. The data subject's refusal to process his/her personal data for direct marketing purposes shall respond promptly, within the shortest possible time. Employees of the Company responsible for the computer maintenance take care that the personal data is not further processed for direct marketing purposes.
4.3. The information we collect using cookies is used for the following purposes:
4.3.1. For functional cookie usage and service provision. Cookies are very important for the operation of our website and electronic services, and they ensure the smooth use of their experience for the consumer. For example, if the user so requests, there is no need to enter his/her full name, password or other data every time he/she connects.
4.3.4. Targeted marketing orientation. Using cookies, the Company can collect information to provide advertisement or content for a specific browser by creating different targeting groups.
4.4. Third-party cookies
Those cookies used by other organisations through the Company's website. For example, pixels and tags help the Company deliver relevant ads more effectively and use it for remarketing purposes. They also help the Company to provide research and reporting to advertisers, understand and improve services, and know when the content has been shown to customers.
The Company is using different types of Google cookies. Cookies listed below may be stored in customers browsers:
To learn how to remove web page tracking of Google Analytics cookies, a customer can here. Customer can manage ads personalisation via personal Google account. More information about ads personalisation settings can be found here.
5.1. The Company must implement appropriate organisational and technical measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.
5.2. When personal data security breaches are detected, the Company will immediately remove them.
5.3. Company’s employees respect the principle of confidentiality, as provided for in clause 2.3. of the Policy.
5.4. Antivirus software should be constantly updated on the Company’s computers.
5.5. In case of breach of personal data security, the Company informs the supervisory authority without undue delay and, if possible, within 72 hours after becoming aware of a breach of personal data security, unless the personal data breach should not jeopardize the rights and freedoms of natural persons. If the personal data breach is not reported to the supervisory authority within 72 hours, the reasons for delay must be attached to the report.
5.6. In the event of a breach of personal data security that could seriously jeopardize the data and rights of natural persons, the Company without unjustified delay informs the data subject about the breach of personal data security.
6.2. The Company does not have a possibility to fully guarantee that the Company's website will function without any interruption and that it will be completely protected against viruses. Under no circumstances shall the Company be liable for direct or indirect damages related to the use of the materials available on the Company's website. The data subject is informed that any material that the data subject downloads, reads or otherwise receives using the Company's website is obtained solely at the discretion and risk of the data subject, and therefore the data subject is responsible for the damage caused to the data subject himself/herself or his/her computer system.
6.3. The data subject who has his or her account on the Company's website must ensure the security of its login details. The Company is not liable for damage sustained by the data subject due to improper implementation of the obligation provided for in this clause.
6.4. Unless otherwise specified, the intellectual property rights (including copyrights) on the content and information of the Company's web site are owned by the Company. It is prohibited to reproduce, translate, adapt or otherwise use any part of the Company's web site without the prior written consent of the Company. It is prohibited to perform any other actions that violate or may violate the Company's intellectual property rights on the website and also contravene fair competition.
7. Final provisions
7.1. This Policy shall be updated at least once every two years or after amendments to the legislation regulating the protection of personal data.
7.2. The policy is publicly available on the Company's website. Corporate customers are familiarised with this Policy by electronic means.
7.3. The Employees are introduced to the Policy with signature confirmation.
7.4. The Company shall have the right to partially or completely review this Policy. Employees shall be introduced to changes with signature confirmation.
7.5. Data subjects may apply to the Company's employee by e-mail on any matter related to this Policy to email@example.com