All our chairs are equipped with state-of-the-art spycams, to monitor your experience with Muista. We care about your privacy, so feel free to cover your chair when you’re not in the mood for being watched.
JUST KIDDING – you got it, right?!
- Purpose of the Policy, main concepts
MB “Muista” recognizes by this personal data protection policy (hereinafter – Policy) that personal data protection is important for you – our clients and other data subjects (hereinafter – data subjects) and it undertakes to respect and preserve privacy of each data subject. The data subjects entrust us with their personal information and we are responsible to work to justify their trust every day.
The purpose of the Policy is to determine the main data processing rules applicable to MB “Muista” as a data controller and to ensure compliance and proper implementation of the General Data Protection Regulation (EU) 2016/679 and other applicable legal acts.
In case of any Policy-related questions or requests and complaints related to your personal data processing, or if you want to use your rights of the data subject, you should address us by e-mail email@example.com, phone +370 650 25439.
- Main concepts used in the Policy:
- Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Data subject – any natural person, whose personal data are processed;
- Processing of personal data means any operation which is performed on personal data, such as collection, recording, accumulation, storage, classification, grouping, merging, modification (amendment or alteration), transmission, announcement, usage, logical and/or arithmetical operations, search, dissemination, destruction or any other operation or set of operations;
- Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her, e.g., oral or written declaration, including given by electronic means. Silence, pre-marked boxes or omission to act shall not be considered consent;
Data controller means the natural or legal person, which, alone or jointly with others, determines the purposes and means of the processing of personal data. The concept of data controller covers MB “Muista”: MB “Muista” (registration number 304499742, registered address: Savanorių pr. 221,Vilnius, LT-02300, Lithuania.
Data processor means a natural or legal person (not the employee of the data controller), which processes personal data on behalf of the controller, i.e., helps the data controller and follows his instructions;
- Employee – a person, who has concluded employment or similar contract with the data controller;
- Data transmission – disclosure of personal data through transmission or other means of making them accessible;
- Supervisory authority – State Data Protection Inspectorate;
- Direct marketing – activities when products and services are offered by post, phone or other direct method and/or when the opinion about the offered products and services is asked, and when newsletters are sent;
- Data controller’s website – https://www.muistachair.com/;
- General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation /GDPR);
- Responsible person – person assigned by the data controller as responsible for personal data protection, including data protection officer (as understood according to the GDPR).
- Other concepts used in the Rules correspond to the definitions provided in the General Data Protection Regulation and in the Law on Legal Protection of Personal Data of the Republic of Lithuania.
- This Policy has a purpose to facilitate usage of their rights to data subjects.
- The personal data processed by the data controller are precise, appropriate and in the scope necessary to collect and continue processing them. If it is necessary for personal data processing, the personal data shall be regularly updated.
- The personal data may be collected:
- to acquire services and/or products of the data controller, to conclude, implement and service the contract (order), to identify the client in the data controller’s information system, to register and identify the client on the data controller’s website, to issue invoices and other financial documents, and to answer the clients’ inquiries;
- in presence of consent of the data subject, for direct marketing and marketing (to give promotional messages, newsletters, invitations to events or similar information).
- The data controller shall process the following personal data:
- client’s (its representative’s) name, surname, identification number, title, phone, passport/ID card number, e-mail, work (contact) address.
- The legal ground of personal data processing is the duty of the data controller to implement the contract made with the data subject and/or to undertake actions to make the contract, to execute the order or other obligations upon the request (order) of the data subject.
- When personal data are processed for the purpose of direct marketing, the data subject has a right to disagree gratuitously with such personal data processing and withdraw the consent.
- In order to learn how people are using the website and services and to be able to improve them, to create new content, products or services, the data controller may collect other information, e.g., information about the device of the clients (their representatives), visitors, i.e. IP address, parameters of the device used by the person to access the content, logging information, and information that reveals usage peculiarities of the services provided by data controller or that generates automatically the statistics of visits.
- The data controller may also acquire information about the data subject from public and commercial sources (in the extent permitted by legal acts) and relate it to other information received by the data subject about him(her)self.
- Personal data processing
- Only the data controller’s employees are entitled to process personal data of the clients, including their transfer to third persons indicated in paragraph 2.2 herein. Each employee has to keep the secret of the client’s personal data and to act in compliance with the legal acts on personal data protection and these Rules.
- In implementation of the contracts for services made with the data controller, the personal data of the clients may be transmitted only to the data controller’s partners, who act as data processors in the name of the data controller, who provide services of delivery of parcels and other services related to the execution of the contract for services (the personal data are disclosed only in the extent necessary to provide such services). The clients’ personal data may be transmitted only to the data processors, with whom the data controller has made contracts containing provisions on transmission/provision of personal data, and if the data processor guarantees personal data protection required by the General Data Protection Regulation. In all the other cases, personal data may be disclosed to third persons only in accordance with the terms and conditions of the legislation of the Republic of Lithuania.
- The data controller shall follow the confidentiality principle and keep in secret any information related to personal data that s/e has learnt while executing his/her duties, unless such information was public according to the valid laws and other legal acts.
- The personal data shall be processed until they are not needed any more for the defined processing purposes. The personal data of the clients cannot be processed for more than 10 years from the day when the last contract/order is implemented or expires, or from the last day when the website’s content or services were used. When this term expires, the data shall be deleted in the way that they could not be restored.
- When personal data are not needed any more for the defined processing purposes, they shall be destroyed, save for the cases when the personal data have to be transferred to public archives.
- The personal data protection shall be organized, guaranteed and implemented by the data controller’s responsible person.
- Rights of the data subject and their implementation procedure
- Rights of the data subject:
- to know (be informed) about his/her personal data processing;
- to access own personal data and to learn, how they are processed;
- to object to personal data processing;
- to demand to rectify, supplement or amend incorrect or incomprehensive personal data, to destroy personal data or to suspend their processing, save for storage;
- to demand to erase personal data (“right to be forgotten”). This right is valid in case of the following grounds:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent or on a contract;
- the processing is carried out by automated means.
- The data subject has a right to lodge a complaint to supervisory authority regarding supposedly illegal processing of his/her personal data.
- The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of the Republic of Lithuania, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in the General Data Protection Regulation.
- Implementation procedure of the rights of the data subject:
- a person who wants to implement the rights has to submit a written application to the data controller (personally, by post, via representative or using the electronic communication means). The application has to be legible, signed by the person and contain the following information: person’s name, surname, place of residence, contact data and information, which of the aforementioned rights and in what scope s/he intends to implement;
- upon submission of application, the person has to prove his or her identity:
- if the application is delivered directly to the data controller, the personal identity document or is copy certified in accordance with the legislation of the Republic of Lithuania has to be delivered;
- if the application is delivered by post, the copy of personal identity document certified in accordance with the legislation of the Republic of Lithuania has to be delivered;
- if the application is delivered via representative, the representation proof and the copy of personal identity document certified in accordance with the legal acts have to be delivered;
- if the application is delivered using the electronic communication means, it as to be e-signed;
- The data subject’s right to object to processing of his/her personal data for direct marketing shall be implemented by notifying the data controller thereof by e-mail.
- The application shall be examined by the responsible person and the answer shall be given not later than in 30 days from its receipt.
- The controller shall without undue delay and where feasible, not later than 72 hours after having become aware of it, react to the disagreement of the data subject to have his/her personal data processed for direct marketing. The data controller’s employees responsible for data protection have to guarantee that the personal data would not be processed for direct marketing any more.
- Rights of the data subject:
- Cookies and their usage
- The client, who is using the website, agrees with the usage procedure offered by the data controller and may choose whether to accept the cookies. If the client does not agree to have the cookies recorded into the computer or other terminal device, s/he may change the settings of the browser and turn off all the cookies or turn on/off the cookies one by one. However, we should note that in some cases this may make browsing slower, restrict functioning of certain functions of the website, or access to the website may be blocked. More information is available at org or www.google.com/privacy_ads.html.
- Security of personal data
- The data controller shall implement appropriate organizational and technical measures intended to protect personal data from accidental or illegal destruction, modification, disclosure and any other unlawful processing.
- When violations of personal data security are identified, the data controller shall remove them without delay.
- The employees of the data controller shall observe the confidentiality principle.
- The antivirus program has to be updated continuously in the computers of the data controller.
- In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
- The data subject has to provide correct and thorough personal data to the data controller and to inform about appropriate changes in the personal data.
- The data controller has no possibility to guarantee completely that the data controller’s website will function without hindrances and will be completely protected from viruses. The data controller is not responsible for damage, including the damage caused by hindrances of internet functioning, loss or destruction of data, if it resulted from actions or omission to act by the data subject or third persons acting upon knowledge of the data subject, including entrance of erroneous data, other mistakes, deliberate damage, and other inappropriate usage of the data controller’s website. The data controller shall not assume any responsibility for direct or indirect losses related to the usage of material and documents available on the data controller’s website. The data subject is notified that any material downloaded or otherwise received by the data subject while using the data controller’s website is received at absolute discretion and risk of the data subject and the data subject shall be responsible for the damage caused to the data subject or his/her computer system.
- Unless provided otherwise, the intellectual property rights (including copyrights) to the content of the data controller’s website and information belong to the data controller. It is prohibited to reproduce, translate, adapt or use otherwise the part of the data controller’s website without advance written consent of the data controller. It is prohibited to perform any other actions that would or could violate intellectual property rights to the data controller’s website and that could be in prejudice to fair competition.
- Final provisions
Updated on February 2021