Skip to main content

UAB “KINETUS” PERSONAL DATA MANAGEMENT RULES

APPROVED 2023-07-23 UAB “KINETUS” Director’s Order No. 230723/01

  1. GENERAL TERMS
    1. Data Controller – means UAB “KINETUS”, company code 306241580, address Liucern┼│ g. 18, Kaunas, Republic of Lithuania, website address: https://www.kinetus.lt, whose data is collected and stored in the Register of Legal Entities of the Republic of Lithuania.
    2. Personal Data – any information related to a natural person – data subject, whose identity is known or can be directly or indirectly identified using such information as the personal code, one or more personal, physiological, psychological, economic, cultural, or social characteristics.
    3. Data Subject – means a natural person from whom the Data Controller collects and processes personal data.
    4. Employee – means a person who has concluded a contract of employment or a similar contract with the Data Controller and is appointed by the decision of the Data Controller’s manager to process personal data or whose personal data is processed.
    5. Data Recipient – a legal or natural person to whom personal data are provided.
    6. Data Provision – disclosure of personal data by transmitting or otherwise making them accessible (excluding publication in the media).
    7. Processing of Personal Data – means any action performed with personal data: collection, recording, storage, classification, grouping, linking, modification (supplementing or rectifying), provision, publication, use, logical and/or arithmetic operations, search, dissemination, erasure, or any other action or set of actions.
    8. Automated Data Processing – data processing actions performed fully or partially by automated means.
    9. Data Processor – a legal or natural person (who is not an employee of the data controller) authorized by the data controller to process personal data. The data processor and/or its appointment procedure may be established by laws or other legal acts.
    10. Third Party – a legal or natural person other than the data subject, data controller, data processor, and persons directly authorized by the data controller or data processor to process data.
    11. Consent – the voluntary expression of the data subject’s will to process his/her personal data for a known purpose. Consent to process special personal data must be expressed clearly – in writing or equivalent form that clearly demonstrates the data subject’s will.
    12. Direct Marketing – activities aimed at offering goods or services to individuals by mail, telephone, or other direct means and/or requesting their opinions on the goods or services offered.
  1. GENERAL PROVISIONS
      1. These RULES FOR THE MANAGEMENT AND USE OF PERSONAL DATA (hereinafter referred to as the Rules) regulate the actions of the Data Controller and its employees in processing personal data, as well as stipulate the data subject’s rights, measures for the implementation of personal data protection, and other matters related to the processing of personal data.
      2. The Data Controller collects the personal data of the data subject, which the data subject provides directly when visiting the Data Controller’s office, using the Data Controller’s website https://www.kinetus.lt, email, registered mail, telephone, filling out registration forms, or other means.
      3. The Data Controller undertakes to use the information provided by the data subject exclusively for the purposes specified in these Rules and not to disclose this information to any third parties without the data subject’s consent, except for the Data Controller’s partners providing services related to the proper execution of services ordered by the data subject.
      4. The Data Controller may also transfer the data subject’s personal data to third parties acting as data processors on behalf of the Data Controller. Personal data may only be provided to those data processors with whom the Data Controller has concluded the appropriate agreements.
      5. Purposes of processing the data subject’s personal data:
        1. For the administration of services provided by the Data Controller and the fulfillment of contractual obligations;
        2. For e-commerce purposes;
        3. For direct marketing purposes.
  1. PROCESSING OF PERSONAL DATA
      1. By providing their personal data to the Data Controller, the data subject confirms and agrees that the Data Controller will process the data subject’s personal data in accordance with these Rules, applicable laws, and other normative legal acts.
      2. The data subject’s personal data are processed using both non-automated and automated methods using technical and organizational measures implemented by the Data Controller.
      3. The information collected by the Data Controller includes the data subject’s name, surname, address, email address, telephone number, data of identity documents (passport, identity card) (date of issue, place, validity period, number), personal code, date of birth, gender, credit/debit card, bank account details, etc.
      4. The Data Controller’s website collects information about the data subject’s visit: IP address; visit date and time; computer operating system and browser used; language settings, etc.
      5. If the data subject uses a mobile device, information about the mobile device type, device settings, and geographic coordinates are collected.
      6. The Data Controller’s employees, when performing their duties and processing the data subject’s personal data, follow these principles:
        1. They collect, process, and store the information provided by the data subject only for a legitimate purpose and only the data necessary for administering the services provided by the Data Controller.
        2. When collecting and processing personal data, they do not require the data subject to provide data that is not necessary for the administration of the Data Controller’s services.
        3. Only the Data Controller’s employees authorized to provide the service have access to the data subject’s personal data.
        4. The employees of the company do not disclose the data subject’s personal data to third parties, except as provided by law or if necessary to provide the services specified in the Data Controller’s contract.
        5. When collecting, processing, and storing the data subject’s personal data, the Data Controller’s employees must comply with the requirements of the Republic of Lithuania Law on the Legal Protection of Personal Data, the Civil Code of the Republic of Lithuania, and these Rules.
      7. The data subject’s personal data are stored no longer than is required by the purposes of data processing, laws, and other legal acts.
  1. USE OF COOKIES
    1. The Data Controller’s website https://www.kinetus.lt uses data analysis management tools – cookies. Cookies are small amounts of data that the website places on the data subject’s computer. The main purpose of cookies is to remember the data subject’s choices and optimize the accessibility of the website.
    2. Cookies are used to collect statistical information about the website or its parts’ visitation and to identify the data subject’s device, facilitating the data subject’s access to the website and its information and ensuring the smooth operation of the website. Cookies are not used for collecting personal data.
    3. The data subject visiting the Data Controller’s website www.kinetus.lt has the option to agree or refuse to use cookies, but in this case, the Data Controller cannot guarantee the quality of browsing the website.
    4. The data subject can choose which cookies to allow/block by marking/unmarking the checkbox in the respective graph. Blocking cookies may cause certain parts of the website not to work or work improperly for technical reasons. To get more information about the current list of cookies used on the Data Controller’s website or to configure the use of cookies, the data subject can visit https://www.kinetus.lt/privacy-policy.
  1. IMPLEMENTATION OF DATA SUBJECT RIGHTS
    1. The data subject has the right:
        1. to know (be informed) about the processing of their personal data;
        2. to access their personal data and how it is processed;
        3. to demand correction, destruction, or suspension (except storage) of their personal data processing actions when the data is processed in violation of applicable legal requirements;
        4. to refuse the processing of the data subject’s personal data.
      1. The data subject may give consent or withhold consent for the use of their provided personal data for the Data Controller’s marketing purposes by expressing their consent/disapproval with regard to tourism service provision in the respective section by signing it or marking/unmarking the checkbox on the website.
      2. The data subject may give consent or withhold consent for the use of their provided personal data for the Data Controller’s marketing purposes by completing questionnaires provided by the Data Controller after the trip, participating in other activities organized by the Data Controller, such as games, quizzes, promotions, etc., by expressing their consent/disapproval by marking/unmarking the checkbox in the respective section.
      3. When visiting the Data Controller’s website, the data subject has the opportunity to subscribe to newsletters by entering their email address into the respective field and clicking “SUBSCRIBE.” The data subject also has the possibility to opt-out of receiving newsletters or other information by clicking the link provided by the Data Controller in the email.
      4. Personal data collected for direct marketing purposes is processed and used in a way that prevents the disclosure of the data subject’s identity.
      5. When the data subject visits the Data Controller’s website and provides information about themselves to the Data Controller’s employees or data processors, it is considered that the data subject has familiarized themselves and agrees to the provisions of these Rules.
      6. If the data subject disagrees with the rules for processing personal data, the data subject has the right to suspend the processing of their personal data as indicated in paragraph 5.1.4 of these rules.
      7. The data subject can exercise their rights regarding data protection and implementation of their rights to know about their data processing, edit their data, or refuse data processing for direct marketing purposes by informing the Data Controller directly via phone, mail, or email: info@kinetus.lt.
  1. PERSONAL DATA PROTECTION MEASURES
    1. The Data Controller implements administrative, technical, and software measures to ensure the protection of personal data.
    2. The reservation system used by the Data Controller and the website https://www.kinetus.lt use the HTTPS protocol and SSL certificate, ensuring that all personal data of the data subject is encrypted and protected against unauthorized actions and illegal access through computer networks.
    3. Access to personal data is granted only to those employees who require it for the performance of their job duties. Specific employees can only perform actions with personal data to which they have rights based on their job positions and functions.
    4. Access to the Data Controller’s reservation system is provided with unique passwords to ensure confidentiality.
    5. The Data Controller ensures the security of premises where personal data is stored.
    6. Computer workstations are continuously equipped with and periodically updated with antivirus programs.
    7. Testing of information systems is never conducted with real personal data.
  1. FINAL PROVISIONS
    1. Compliance with and, if necessary, review of the Rules for the processing of personal data are the responsibility of the Data Controller’s manager or their authorized person.
    2. Additions or changes to the Rules for the processing of personal data become effective from the date of their publication on the Data Controller’s website https://www.kinetus.lt.
    3. All disputes arising from the implementation of these Rules are resolved through negotiations. In the event of failure to reach an agreement, disputes are settled in accordance with the laws of the Republic of Lithuania.
    4. Responsible Data Controller employees are familiarized with these Rules by signing them.