PRIVACY POLICY

This privacy policy defines the principles and procedure of personal data processing by UAB “Baltic Asset Management” and the conditions of operation of the website www.balticam.lt.

This Privacy Policy is governed by and used by UAB “Baltic Asset Management” group companies and companies affiliated with UAB “Baltic Asset Management”.

I. GENERAL PROVISIONS

1. UAB “Baltic Asset Management” ensures that personal data are processed in a lawful, fair and transparent manner, collected for specified and clearly defined purposes and are not further processed in a manner incompatible with those purposes.
2. Terms used in this Policy include:

• Personal Data is any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data and an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• Data Controller — UAB “Baltic Asset Management”, code: 304602224, registered office address: Upės g. 21, Vilnius;
• Data Subject — Customer of the Company — any natural person whose personal data is processed by the Data Controller;
• Data processing — any operation or sequence of operations which is performed by automated or non-automated means on personal data or on sets of personal data, such as collection, recording, sorting, organisation, storage, adaptation or alteration, retrieval, access, use, disclosure by transmission, dissemination or any other means of making available, alignment with or combination with other data, restriction, erasure, or destruction.

3. The concepts, principles and other provisions used in this Policy are in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as the “GDPR”), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other relevant legal acts.
4. The Data Subject shall be deemed to have read and understood this Policy by voluntarily leaving their data (email address and telephone number) on the website of the Company www.balticam.lt

5. Please be informed that the Data Controller:

1. Processes personal data in a lawful, fair and transparent manner in relation to the Data Subject (principle of lawfulness, fairness, and transparency);
2. Collects personal data for specified, explicit and legitimate purposes and does not further process personal data in a manner incompatible with those purposes (purpose limitation principle);
3. Collects only Personal Data that is adequate, relevant, and necessary for the purposes for which it is processed (principle of data minimisation);
4. Processes only accurate Personal Data and updates it as necessary; takes all reasonable steps to ensure that Personal Data which are not accurate in relation to the purposes for which they are processed are erased or rectified without undue delay (principle of accuracy);
5. Stores Personal Data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed (the principle of storage limitation);
6. Processes Personal Data in such a way as to ensure, by appropriate technical or organisational measures, adequate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss or destruction (principle of integrity and confidentiality);

• The Data Controller is responsible for ensuring compliance with the above principles and must be able to demonstrate compliance with them (principle of accountability).
• The use of third-party services, such as the use of the social media accounts of the Data Controller, may be subject to the terms and conditions of third parties. Therefore, when using the services of such third parties, it is recommended that you also familiarise yourself with their terms and conditions.

II. COLLECTION, PROCESSING, STORAGE OF PERSONAL DATA

6. For the purposes of the provision and performance of the services of the Company, purchasing, and participation in the activities, billing, data analysis, the Data Controller processes the following personal data relating to the Data Subject:

• name, surname,
• personal number or date of birth,
• phone number, email address,
• home address,
• bank account number (for payment for services)
• data on the real estate being bought/sold/owned by the data subject (extract of the object from the Real Estate and Cadastre Register of the State Enterprise Centre of Registers),
• IP address,
• email and social media correspondence (not public records).

7. For the purpose of direct marketing, the Data Controller shall process the following data of the Data Subject:

•  name, surname,
•  phone number, email address.

8. For the purposes of administering customer enquiries, providing quality services, the Data Controller shall process the following data of the Data Subject:

• comment,
• name, surname,
• phone number, email address.

9. Storage of personal data:

• personal data in relation to the core business of the Company, i.e., the purchase and sale of real estate, project management and development, shall be stored for 10 (ten) years. This time limit is due to the possibility of inspections initiated by various public authorities (e.g., STI, SoDra, etc.), which may start 5 (five) years after the conclusion of a specific contract (e.g., a works contract) and require data for the previous 5 (five) years;
• for direct marketing purposes (i.e., offering data subjects to buy/sell/otherwise transfer, in part or in full, real estate relevant to them, contributing to real estate projects under development), the data received shall be stored for a period of 5 (five) years from the date of receipt of data;
• for the purpose of administering enquiries, personal data is stored for 1 (one) year from the date of receipt;
• for the purpose of invoicing, personal data is stored in accordance with the legal requirements applicable to accounting.

10. The data subject may at any time submit a request to withdraw consent to the processing of their personal data by sending an e-mail to the following address: info@balticam.lt or by visiting the office of the Company at the following address: Upės g. 21, Vilnius.

11. The Data Controller collects personal data:

• directly from the Data Subject,
• from publicly available sources, i.e., publicly available data of business partners and/or their representatives are collected by the Company from publicly available systems (social networks, public databases, etc.) in connection with the preparation of relevant tenders, project development, etc.
• The company has a database of all real estate brokers operating in Lithuania. Their data is publicly available and accessible. Whenever the Company sends relevant enquiries to brokers, emails allow them to opt-out of receiving relevant offers of future cooperation.

12. The Data Controller undertakes not to disclose the Personal Data processed to third parties except in the following cases:

• if the Data Subject has consented to such disclosure of personal data;
• when the data is provided to Data Processors providing accounting, online system support, payment and other services;
• companies affiliated with the Data Controller, as well as companies that provide services at the request of the Data Controller, e.g., banks/companies that assist with payment transactions. These companies are limited in their ability to use your information; they cannot use this information for purposes other than to provide services to the Data Controller;
• To other parties where required to do so by law or as necessary to protect the information society services provided.
• where the data are provided for other relevant purposes in the performance of statutory obligations.

Cases where the Data Controller may disclose the information of the Data Subject to other parties:

• to comply with the law or in response to a mandatory court order;
• to confirm the legality of its actions;
• to protect the Data Controller, its rights, property, or security;
• to any related third party in the event of a merger, transfer, or bankruptcy;
• in other cases, with the consent of the Data Subject or a lawful request.

13. By submitting personal data, the Data Subject grants the Data Controller the right to collect, store, systematize, use and process, for the purposes provided for in this Policy, all personal data that are submitted directly or indirectly by visiting the website.
14. It is the responsibility of the Data Subject to ensure that the data provided is accurate, correct, and complete. Knowingly entering incorrect data is considered a breach of the Policy. If the data you have provided changes, you must rectify it without delay and, if you are unable to do so, inform the Data Controller thereof. In no event shall the Data Controller be liable for any damage caused to the Data Subject and/or third parties as a result of the incorrect and/or incomplete personal data provided by the Data Subject, or the failure to request the completion and/or modification of the data following a change in them.

The Data Controller does not collect sensitive information about the Data Subject.

The Data Controller does not carry out automated decision-making or profiling based on information about the Data Subject.

The Data Controller does not share the personal data of the Data Subject with entities outside the European Economic Area.

The Data Controller may share personal data with UAB “Baltic Asset Management” group companies and UAB “Baltic Asset Management” affiliates.

III. COOKIES

The Data Controller uses cookies on its Website in order to properly process information about Data Subjects (hereafter referred to as “Visitors”) when they visit the Website of the Data Controller.

Cookies are files that store information on the hard drive of a computer or in a search engine. They can be used to identify visits to the Website of the Data Controller, to see the history of visits, and to tailor content accordingly.

Cookies are also used to ensure the most user-friendly browsing experience and the smooth functioning of the website, to monitor the duration and frequency of visits and to collect statistical information about the number of visitors to the Website. They also help to improve the functioning of the Website and to implement improvements and adapt the Website to the optimal needs of its Visitors.
16. The websites and social media accounts operated by the Data Controller allow the Data Subject to provide information directly to the Data Controller (for example, by subscribing to a newsletter on the website). The following information is obtained directly from the Data Subject:

• e-mail.

The following information is obtained indirectly:

• information about how the websites of the Data Controller are used (for example, the following information may be collected):
• device information, i.e., IP address, operating system version and settings of the device used by the Data Subject to access the content/products;
• login information, i.e., the timing and duration of the use of the session by the Data Subject, the timing of requests made by the Data Subject on the websites of the Data Controller and any information stored in cookies stored on the device of the Data Subject;
• location information, i.e., the GPS signal of the device or information about the nearest WiFi access points and mobile towers, which may be transmitted to the Data Controller by the Data Subject when using the content of the websites of the Data Controller;
• information from third-party sources.

The Data Controller may obtain information about the Data Subject from public and commercial sources (to the extent permitted by applicable law) and associate it with other information received from or about the Data Subject.

The Data Controller may also obtain information about the Data Subject from third-party social networking services when the Data Subject accesses them, for example, through accounts on Facebook.

The Data Controller may collect information about the Data Subject, their device, or their use of the content of the websites with the consent of the Data Subject.

The Data Subject may choose not to provide the Data Controller with certain information (e.g., subscription or marketing information), but in this case, the Data Controller will not be able to provide the Data Subject with the most recent offers or to contact the Data Subject promptly when the Data Subject has the most suitable offer.
17. The processing of data by means of cookies does not allow the direct or indirect identification of Visitors to the Website.
18. The visitor can delete cookies from their computer or block them in their web browser, but some of the functionality of the website may not work or may not function correctly.

IV. RIGHTS OF DATA SUBJECTS

19. The Data Controller shall guarantee the exercise of the rights of the Data Subject and the provision of any relevant information upon request or enquiry by the Data Subject:

• to know (be informed) about the processing of your personal data;
• to have access to your personal data and how they are processed;
• to request the rectification or deletion of your personal data or the suspension, other than storage, of processing of your personal data;
• to object to the processing of personal data, including direct marketing;
• to request the erasure of personal data (“right to be forgotten”);
• to request the portability of your personal data, i.e., access to your personal data in the form of personal data in a commonly used and computer-readable format;
• the right to lodge a complaint with the State Data Protection Inspectorate.

The Data Controller may prevent Data Subjects from exercising the above-mentioned rights where, in the cases provided for by law, it is necessary to ensure the prevention, investigation, and detection of crimes, breaches of official or professional ethics, as well as the protection of the rights and freedoms of the Data Subject or other persons.

20. A data subject who has presented a document confirming their identity or who has confirmed their identity by means of the procedure established by law or by means of electronic communications (provided that they allow for proper identification of the person) shall have the right to have access to their data processed by the Company at any time, free of charge, upon submitting a request to the Controller, and to obtain information on the sources from which their personal data were collected, the purpose for which they are processed, and the recipients to whom the data is being provided and to whom it has been provided for the past 1 (one) year. The Data Subject shall also have the right to request the rectification of incorrect, incomplete, inaccurate personal data, to request the suspension, except for storage, of the processing of their personal data when the data are processed in violation of the law and the terms of this Policy.
21. The Data Subject may submit a request for the exercise of their above-mentioned rights at the office of the Company, at the following address: Upės g. 21, Vilnius, by filling in the application form, or by sending it by e-mail to: info@balticam.lt
22. The Data Subject shall have the right to withdraw consent at any time to the extent that the processing of personal data is based on consent, without affecting the lawfulness of the processing based on consent prior to the withdrawal of consent, as provided for in the Policy.

23. The website(s) or social media accounts of the Data Controller may contain links to third parties whose websites and services are not under the control of the Data Controller. The Data Controller is not responsible for the security and privacy of information collected by third parties. The Data Subject must be careful and read the privacy statements applicable to third-party websites and services used by the Data Subject.

24. If the Data Subject is not satisfied with the response of the Data Controller or considers that the Data Controller is not processing personal data in accordance with the legal requirements, the Data Subject shall have the right to lodge a complaint with the State Data Protection Inspectorate of the Republic of Lithuania.

V. FINAL PROVISIONS

25. Legal relations related to this Policy shall be governed by the law of the Republic of Lithuania.
26. The Data Controller shall not be liable for damages, including damages caused by interruptions in the use of the Website, for loss or corruption of data caused by the actions or omissions of the Data Subject himself or by the actions or omissions of third parties acting with the knowledge of the Data Subject, including erroneous data entry, other errors, intentional damage, or other misuse of the Website. The Website Provider shall also not be liable for interruptions of access to and/or use of the Website and/or damage caused by such interruptions due to the actions or omissions of third parties not related to the Data Controller or the Data Subject, including interruptions of the electricity supply, Internet access, etc.
27. The Data Controller has the right to amend the Policy in part or in full. This Privacy Policy shall be reviewed once every 2 (two) years and updated as necessary.
28. Amendments or changes to the Policy shall take effect from the date of their publication on the Website.
29. If the Data Subject continues to use the Website after the addition or modification of the Policy, the Data Subject shall be deemed not to object to such additions and/or modifications.