Rules for the Processing and Use of Personal Data

I. KEY DEFINITIONS

1. Company: UAB, Kvarkas (company code: 300143364); Address: Vilnius, Mėsinių g. 9-1, LT-01133, Lithuania; Phone: +370 68713560; E-mail: [email protected]
2. Data subject means a natural person from whom the Companies purchase goods and services. This provides the company with reliable data related to purchasing.
3. Employee means a person who has entered into an employment or similar contract with the Company and is appointed to process personal data by the decision of the Head of the Company or whose personal data is processed.
4. Personal data means any information relating to a natural person – a data subject known to be or may be directly or indirectly identified using data such as name, surname, date of birth, one or more physical, physiological, psychological, economic, cultural or social features.
5. Data recipient means a legal or natural person to whom personal data is provided.
6. Provision of data means the disclosure of personal data by transmitting or otherwise making them available (except for publication in mass media).
7. Data processing means any activity performed with personal data: collection, recording, accumulation, storage, classification, grouping, aggregation, modification (addition or correction), provision, publication, use, logical and/or arithmetic operations, search, dissemination, destruction or other action or set of actions.
8. Automatic data processing means processing of data, fully or partially carried out by automated means.
9. Data processor means a legal or natural person (who is not an employee of the data controller) authorised by the data controller to process personal data. The data processor and/or the procedure for assigning the data processor may be specified in laws or other legal acts.
10. Data controller means a legal or natural person who, alone or together with others, determines the purposes and means of the processing of personal data. If the purposes for the processing of data are laid down by laws or other legal acts, the data controller and/or the procedure for assigning the data controller may be specified in those laws or other legal acts.
11. Special personal data means data relating to the racial or ethnic origin of a natural person, political, religious, philosophical or other beliefs, membership in trade unions, health, sexual life, as well as information on a person’s criminal record.
12. Social and public opinion research means systematic collection and interpretation of data and/or information on natural and legal persons by means of statistics, analyses and other methods used by the social sciences in order to obtain the insights required for decision-making purposes. Social and public opinion research cannot lead to direct marketing.
13. Consent means a voluntary statement by the data subject of the will to process his or her personal data for a purpose known to him or her. Consent to the processing of sensitive personal data must be expressed in a clear, written or other equivalent form that clearly demonstrates the will of the data subject.
14. Direct marketing means the activity of offering goods and services to individuals and/or seeking their opinion on the goods or services offered by post, telephone or other means.
15. Third party means a legal or natural person, other than the data subject, the data controller, the data processor and persons who are directly authorised by the data controller or the data processor to process the data.
16. Internal administration means an activity that ensures the independent functioning of the data controller (structure management, personnel management, management of available material and financial resources, clerical management).
17. Other terms used in these Rules for the Processing and Use of Personal Data (hereinafter referred to as the Rules) are in conformity with the definitions established in the Law on Legal Protection of Personal Data of the Republic of Lithuania.

II. GENERAL PROVISIONS

1. These Rules regulate the actions of the Company and its employees in the processing of personal data, using the automatic and non-automatic means of personal data processing installed in the Company, also establish the rights of the data subject, implementing measures for the protection of personal data and other issues related to the processing of personal data.
2. The aim of the rules for the processing of personal data at the Company is to regulate the processing of personal data in the Company, ensuring compliance with and implementation of the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other related legal acts.
3. The purpose of the rules is to provide the basic means of processing personal data as well as the technical and data security organisational measures for the implementation of the data subject’s rights.
4. The Company collects the data of the data subject, which they voluntarily provide by e-mail, registered post, fax, telephone, directly to the office of the Company’s intermediary, by registering on the Company’s website and becoming a registered user (when provided by the Company), by becoming a member of the Company’s club (when provided by the Company) or using the Company’s website.
5. The Company, by taking care of the privacy of the data subject and maintaining the trust of the data subject, undertakes to protect the privacy of the data subject and to use the provided information exclusively for the purposes specified in these Rules.
6. Personal data is processed and used depending on the purposes for which the data subject provided it to the Company or for other purposes approved by the data subject.
7. The purposes for which the data subject’s personal data are used:
   7.1. For the processing and administration of the data subject’s purchased services (order);
   7.2. For the identification of the data subject in the Company’s information systems;
   7.3. For the identification of the data subject by logging in to their account on the Company’s website (when provided by the Company);
   7.4. For issuing purchased (ordered) goods, services, service coupons, confirmations, invoices and other financial documents;
   7.5. For solving problems related to the implementation, provision and use of services;
   7.6. For contacting the data subject in the event of a change in the conditions of the services acquired by the data subject;
   7.7. For fulfilling other contractual obligations;
   7.8. For direct marketing purposes;
   7.9. For security, health, administrative, crime prevention detection and legal purposes;
   7.10. For business analytics and statistical analysis, general research that allows to improve services and improve their quality;
   7.11. For audits.
8. By submitting their personal data to the Company, the data subject confirms and voluntarily agrees that the Company shall manage and process the personal data of the data subject in accordance with these Rules, applicable laws and other regulatory legal acts.
9. All employees of the Company who process personal data in the Company or become aware of them while performing their duties, all data processors employed by the company and third parties, used by the Company to provide the service and only in cases when it is necessary to provide the service, must comply with the Rules.
10. The Rules have been prepared in accordance with the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data.

III. PRIVACY AND PERSONAL DATA

1. The information collected by the Company may be: The data subject’s and/or the person’s represented by the data subject name, surname, address, e-mail address, telephone number, data (date of issue, place, date of validity, number) of identity documents (passport, identity card), personal identification number, date of birth, sex, credit/debit card or other payment details, details of persons traveling with the data subject, information on special needs (applies only to those with such needs), information on the goods or services purchased by the data subject (their quantities, purchase dates, prices of purchased services, purchase history, employee with whom the goods or services were purchased and other information related to the acquisition of the service), the data subject’s login name and password in encrypted form on the Company’s website (if the Company provides such an option). The Company’s website may collect certain information about the data subject’s visit to the website, such as: the Internet Protocol (IP) address through which the data subject accesses the Internet; the date and time of the data subject’s visit to the Company’s website; other websites that the data subject visits while on the Company’s website; the browser used; information about the data subject’s computer operating system; mobile app versions; language settings and more. If the data subject uses a mobile device, data may also be collected to determine the type of mobile device, the settings of the device, and the geographical (longitude and latitude) coordinates. This information is used to improve the Company’s website, to analyse trends, to improve products and services and to administer the Company’s website. The data subject voluntarily provides this data using the services provided by the Company, having become a registered user of the Company’s website or by visiting the Company’s website.
2. All personal data specified and received by the data subject shall be collected, stored and processed in accordance with the requirements provided for in the Law on Personal Data Protection of the Republic of Lithuania and other legal acts regulating the protection of personal data in the Republic of Lithuania. The Company ensures the protection of the received data and undertakes to use this information only with the consent of the data subject and only in cases provided by law, as well as in cases necessary for the provision of the service ordered by the data subject.
3. In performing their duties and processing the personal data of the data subject, the employees of the Company shall adhere to the following principles:
   3.1. They shall collect, process and store the information provided by the data subject only for a legitimate interest and in strict compliance with the requirements of the Law on Legal Protection of Personal Data of the Republic of Lithuania, the Civil Code of the Republic of Lithuania, other legal acts regulating this legal area in the Republic of Lithuania and these Rules.
   3.2. The personal data of the data subject shall be processed accurately, fairly and lawfully.
   3.3. They shall collect the personal data of the data subject for defined purposes.
   3.4. The collection and processing of personal data shall comply with the principles of purposefulness and proportionality, and shall not require the data subject to provide data that is not necessary and shall therefore not be collected.
   3.5. They collect only the data necessary for the provision of quality services, including consultations on the Company’s products and services.
   3.6. The personal data of the data subject may be disclosed only by the Company’s employees with the relevant competence and/or third parties who have been used by the Company to provide the service, and only in cases when it is necessary for the provision of the service.
   3.7. The Company does not disclose the personal data of the data subject to third parties, except in cases provided by law or if the Company is obliged to do so by the data subject.
   3.8. The Company strives to ensure that the data of the data subjects is comprehensive, up-to-date and orderly, therefore it is constantly revised and updated.
4. The Company respects the privacy of the data subject and undertakes to comply at all times with the data protection principles set out in these Rules.
5. The personal data of the data subject shall be stored for no longer than required by the purposes of data processing, laws and other legal acts.

IV. MARKETING AND CORRESPONDENCE

1. By purchasing goods sold by the Company or using the Company’s services, you agree that the personal data provided by the data subject will be used for the Company’s marketing purposes.
2. Possibilities of the data subject to receive the information sent by the Company:
   2.1. After visiting the Company’s website, the data subject has the opportunity to subscribe to the Company’s newsletters.
   2.2. In case it is possible to register on the Company’s website and become a registered user, after registering and becoming a registered user of the Company’s website, the data subject agrees to receive the Company’s newsletters, information notices, offers, discounts, promotions, etc.
3. The Company also gives the data subject the opportunity to refuse the information sent by the Company:
   3.1. The data subject has the possibility to refuse the information sent by the Company by clicking on the provided link to withdraw the Company’s offers and news, available in a newsletter or other letter sent to the data subject.
   3.2. If the data subject is a registered user of the Company’s website who no longer wishes to receive unwanted information about the services provided by the Company, they may make changes at any time by logging in to their account or by notifying the Company’s administration in writing (electronically or physically) or by telephone of their decision.
4. The data provided by the data subject, which is used for direct marketing purposes, helps to ensure the continuous improvement and development of the Company’s website and the Company’s services and provides an opportunity to submit the best possible service offers.
5. The Company uses the data of the data subject for marketing activities permitted by law. For example: based on the information provided by the data subject, when the data subject is visiting the Company’s website, using mobile apps or browsing third party websites and social networks, offers tailored to the data subject may be displayed.
6. Personal data shall be collected, processed and used for marketing purposes in such a way as to prevent the disclosure of the data subject’s identity or other personal data, which could be used to identify a person.
7. The data subject may also exercise their right to refuse to have their data processed for the purpose of direct marketing by informing the Company by post or electronic means.

V. COOKIES AND THEIR USE

1. Some of the information is collected automatically at the time the data subject visits the Company’s website, as the data subject’s Internet Protocol address must be recognised by the Company’s server.
2. The Company’s website also uses data analysis management tools, i.e., cookies.
3. By using the Company’s website, the data subject agrees to the storage of the cookies mentioned in these Rules on the data subject’s computer (device).
4. Cookies are small amounts of data that a website places on the data subject’s computer. Web pages have no memory. When the data subject browses different web pages, the data subject will not be recognised as the same user. Cookies allow the website to identify the data subject’s browser. The main purpose of cookies is to remember the data subject’s preferences, such as the preferred language of the website. Cookies also help identify the data subject when they return to the same web page. They help to tailor the website to personal needs. Cookies cannot be used to run programs or transfer viruses to the user’s computer. Cookies are for the data subject only and can only be read by the web server of the domain that sent the cookie to the data subject. One of the most important purposes of cookies is to provide a convenient feature to save time for the data subject. For example, if the data subject uses a website for personal purposes or browses a web page, cookies will help the web page to remember specific information later. This makes it easier to present relevant content, easier to navigate the web page, etc. When the data subject returns to the web page, they can find the information that they have previously provided, thus making it easier to use the already customised functions of the web page.
5. There are different types of cookies and different ways to use them. Cookies can be categorised according to their purpose, longevity and their location on the website. The processing of data with the help of cookies does not allow the direct or indirect identification of the user.
6. The following types of cookies are used on the Company’s website:
   6.1. Technical cookies: the Company strives to provide users of the Company’s website with an advanced and easy-to-use website that automatically adapts to their wishes and needs. To achieve this, the Company uses technical cookies that allow you to view the website and enable it to function properly. The Company’s website only works properly thanks to technical cookies.
   6.2. Functional cookies: the Company also uses functional cookies that allow it to remember the data subject’s choices and at the same time use the website efficiently. For example, thanks to cookies, the website remembers the language chosen by the data subject, the searches or reviews performed, the goods and services offered by the Company. These types of cookies are not necessary for the operation of the website, but they add more options and make the browsing experience of the data subject more enjoyable.
   6.3. Analytical cookies: the Company uses these types of cookies to understand how the Company’s visitors use the Company’s website, to discover the weak and strong parts of the website, to optimise and improve the website’s performance and to further implement advanced solutions. The data collected includes the pages viewed by the data subject, the type of platform used by the data subject, the date and time information, the number of clicks, the mouse movement and browsing activity, keywords and other text collected by the data subject while browsing the website. The Company also uses analytical cookies for online advertising companies to analyse consumer behaviour after they are shown the Company’s online advertising. The Company does not know which data subject is being analysed as it only collects anonymous information.
   6.4. Commercial cookies: the Company uses these cookies to place the Company’s advertisements on other websites. So-called “targeted advertising” appears based on information about the goods or services a visitor is looking for.
7. The purpose of these management tools is to ensure the quality of website browsing, to help the Company find out the traffic of the Company’s website and its separate parts, to understand the flow of users of the Company’s website, to improve the Company’s website, online services and to better meet the needs of its visitors.
8. Each time the data subject visits the Company’s website, the data subject may accept or refuse the use of cookies, however, in this case, the Company cannot guarantee the quality of the website browsing. Most web browsers automatically accept cookies, but if the data subject so wishes, the browser may be easily modified to prevent the acceptance of cookies. Thus, the data subject has the possibility to delete some or all cookies from their computer at any time or to block them using a web browser on their computer. By blocking cookies, some parts of the Company’s website may not work or function properly for the data subject due to technical reasons.
9. No personal customer data is collected through cookies.
10. No information is provided to any third parties during the storage of the required cookies.

VI. USING WEBSITE INDICATORS

1. The company sometimes uses not only cookies but also website indicators. It is a tiny graphic image of just one pixel that enters the data subject’s computer as part of a web page or as an HTML electronic message. Directly or through other service providers, the Company uses these images as online advertising or on third-party websites in order to find out if the user to whom the ad is displayed is placing an order as well as to analyse consumer movement and optimise the services offered.
2. The Company may include website indicators in promotional e-mails or informational messages in order to determine if these types of e-mails have been opened. Some website indicators may be added by third party service providers to determine the effectiveness of the Company’s advertising campaigns or e-mail communications. The website indicator can be used to place a persistent cookie on the data subject’s computer. It will then be possible to identify the data subject’s computer each time they visit certain pages or when sending e-mails and collect anonymous information about traffic to such websites.

VII. SECURITY AND PROCESSING OF PERSONAL DATA

1. In accordance with the Law on the Legal Protection of Personal Data of the Republic of Lithuania, the regulations of the European Union and other legal acts regulating data protection, the Company shall take measures to prevent unauthorised access or misuse of the data subject’s data. The Company shall ensure that the data provided by the data subject is protected against any unlawful acts: unlawful alteration, disclosure or destruction of personal data, theft of identity and fraud as well as compliance with the level of personal data protection in accordance with the requirements of the legal acts of the Republic of Lithuania. The data storage and processing databases used by the Company are protected from unauthorised access via computer networks.
2. The Company uses appropriate business systems and procedures that allow it to protect and defend the personal data entrusted to the Company by the data subject. The Company uses security systems and technical and physical means to restrict access to and use of the data subject’s personal data on the Company’s servers. For the purposes of work, only employees of the Company with special permits have the right to see the personal data of the data subject provided to the Company.
3. Personal data shall be processed manually and automatically using the personal data processing facilities installed in the Company.
4. Personal data of the data subjects may be processed only by persons authorised by the CEO of the Company.
5. Every employee who processes personal data must:
   5.1. sign a pledge/agreement of confidentiality;
   5.2. process personal data in strict accordance with the laws of the Republic of Lithuania, other legal acts and instructions as well as these Rules;
   5.3. maintain the confidentiality of personal data. They shall observe confidentiality and shall preserve the confidentiality of any information relating to personal data which they have obtained in the course of their duties, unless such information is made public in accordance with the provisions of the laws or regulations in force. The Company’s employee must observe the principle of confidentiality even after the employment relationship has ended;
   5.4. not disclose, transfer or allow access to personal data by any means to any person who is not authorised to process personal data;
   5.5. keep documents and data files properly and securely and avoid making unnecessary copies in order to prevent the accidental or unlawful destruction, alteration and disclosure of personal data as well as any other illegal processing. Copies of the Company’s documents containing personal data must be destroyed in such a way that their contents cannot be reproduced and identified;
   5.6. immediately notify the Head of the Company or their designated responsible person of any suspicious situation that may endanger the security of personal data, and take measures to prevent such a situation.
6. Employees who automatically process personal data or from whose computers it is possible to access areas of the local network, where personal data is stored, must use passwords. Passwords must be changed periodically, as well as in certain circumstances (for example, when a different employee starts using a computer, in the event of possible network intrusion, a suspicion that the password has become known to third parties, etc.). An employee who works with a particular computer can only know their own password.
7. The computer maintenance officer must ensure that personal data files are not “shared” with other computers and that antivirus programs are updated periodically.
8. The employee in charge of computer maintenance makes copies of the data files on the computers. If these files are lost or damaged, the responsible employee must restore them within a few working days.
9. The employee loses the right to process personal data when the employee’s employment or similar contract with the Company expires or when the Head of the Company revokes the appointment of that particular employee to process personal data.
10. The data subjects’ documents and copies thereof, financing, accounting and reporting, archives or other files containing personal data are stored in lockers or safes. Documents containing personal data must not be kept in a visible place accessible to everyone.
11. In order to ensure the protection of personal data, the Company implements or plans to implement the following personal data protection measures:
12. 
    12.1. administrative (organisation of safe documents and computer data and their archives, as well as the organisation of work in different fields of activity, an introduction of personnel to the personal data protection, etc.);
    12.2. technical hardware and software security (administration of servers, information systems, and databases, maintenance of workplaces, maintenance of the Company’s premises, protection of operational systems, protection against computer viruses, etc.);
    12.3. communications and computer networks (firewalling of shared data, programs, unwanted data packets, etc.).
13. The technical and software tools for protecting personal data must ensure the following:
    13.1. The installation of a repository for copies of operating systems and databases, identification of copying techniques and control of compliance;
    13.2. The technology of continuous data processing;
    13.3. The strategy of updating systems in unforeseen cases (management of surprises);
    13.4. The physical (logical) separation of the environment testing programs from operating mode processes;
    13.5. The authorised use of data, its integrity.
14. The data processors employed by the Company or third parties used by the Company to provide the ordered services must guarantee the necessary technical and organisational measures for the protection of personal data and must ensure that such measures are complied with. The Company must be informed about the intended agreements with auxiliary data processors and the prior written consent of the Company for their appointment must be obtained.

VIII. RIGHTS OF THE DATA SUBJECT

1. The data subject has the following fundamental rights:
   1.1. To be aware of the processing of their personal data;
   1.2. To access their personal data and know how it is processed;
   1.3. To require rectification, destruction of the data subject’s personal data or to request the suspension, except for storage, of the processing of the personal data of the data subject when the personal data of the data subject is processed in breach of the provisions of relevant and applicable law;
   1.4. To object to the processing of the data subject’s personal data.
2. The data subject also has the right to refuse to provide personal data. In this case, the data subject automatically waives its claim regarding the quality of services provided by the Company, since the requested data may be necessary for the proper provision of the services requested/ordered by the data subject.
3. The data subject, having submitted an identity document, has the right to access the personal data of the data subject held and processed by the Company, and to obtain information regarding from which sources and which personal data of the data subject have been collected, for what purpose they are processed and to whom they are provided. Upon receipt of a written request from the data subject (by registered post or e-mail), the Company shall provide the data requested in writing (by registered post or e-mail) no later than within 30 calendar days from the date of receipt of the data subject’s request, or shall state the reasons for refusing to grant such a request. The Company shall provide the response to the data subject in the same format as the request, unless the data subject’s request expresses a wish to obtain the information by other means.
4. If the data subject is a registered user of the Company’s website, the data subject may view and edit the personal information provided on the Company’s website and the contact details of the data subject by visiting the relevant sections of the Company’s website.

IX. INTELLECTUAL PROPERTY RIGHTS

1. Unless otherwise stated, the software required for the Company’s services is available or used on the Company’s website and intellectual property rights (including copyrights) to the content and information on the website belong to the Company. Reproduction, translation, adaptation or any other use of any part (any content, logo, software, products, services, etc.) of the Company’s website in the commercial activities of third parties is prohibited without the prior written consent of the Company. It is prohibited to perform any other actions that may violate the Company’s property rights to the Company’s website as well as any other activity that violates fair competition, advertising, infringes copyright, other laws, and current practices.
2. Any illegal use of the rights or any of the above actions will constitute a material infringement of the Company’s intellectual property rights (including copyright and others).

X. LIABILITY

1. The data subject must provide the Company with complete and correct personal data of the data subject and inform about relevant changes in the personal data of the data subject. The company will not be liable for any damage caused to the data subject and/or third parties due to the data subject’s incorrect and/or incomplete provision of personal data or due to failure to notify their data changes properly and in a timely manner.
2. The Company is not responsible for communication failures that prevent users of the Company’s website and other persons from accessing the website or using the services.
3. The Company does not have the possibility to fully guarantee that the operation of the Company’s website will be uninterrupted and without any disruptions or errors, or that the Company’s website will be fully protected against viruses or other harmful components. The data subject is informed that any material that the data subject reads, downloads or otherwise receives through the Company’s website is at the sole discretion and risk of the data subject, and the data subject alone shall be liable for any damage caused to the data subject and to the data subject’s computer system.
4. If the data subject is a registered user of the Company’s website (when provided by the Company), the data subject assumes all risk and responsibility for the actions of third parties on the Company’s website, performed using the data subject’s login data, and undertakes to fulfil all the obligations assumed by using the data subject’s login details.

XI. AMENDING THE RULES

1. The Group of Companies has the right to amend the Rules in part or in full by announcing it on the websites of the Companies.
2. Additions or amendments to the Rules shall take effect from the date of their publication, i.e., from the date on which they are posted on the Company’s website.
3. If the data subject does not agree with the new wording of the Rules, the data subject has the right to refuse to use the services provided by the Company and on the Company’s website.
4. If, after supplementing or amending the Rules, the data subject continues to use the services provided by the Company or on the Company’s website, the data subject shall be deemed to have agreed to the new version of the Rules.

XII. FINAL PROVISIONS

1. When the data subject visits the Company’s website and provides information about themselves to the Company’s partners and/or employees, it is considered that the data subject has read and agrees with the provisions of these Rules.
2. The law of the Republic of Lithuania shall apply to these Rules and to the legal relations arising on the basis of these Rules.
3. All disputes arising out of the implementation of these Rules shall be settled by negotiation. If no agreement is reached, disputes shall be settled in accordance with the procedure established by the legal acts of the Republic of Lithuania.