2. Your personal data controller is the Company - UAB "OLD LT", legal entity code: 302741638, registered office address: Serviso g. 39, LT-92335 Klaipėda, Republic of Lithuania, mailing address. +37064833389, website: www.aromatic89.com, as well as its existing or future branches and representative offices and other legal persons used by the Company in the distribution of its products and authorised to act on behalf of the Company.
3. You may visit the Site and take an interest in the Company's activities, products, goods and services without providing any information about yourself (other than that collected by cookies if you visit the Site).
6. For the provision of services and processing of personal data, the Company may use data processors and/or, at its discretion, hire other persons to perform certain functions on behalf of the Company. In such cases, the Company shall take the necessary technical and organisational measures to ensure that such processors process personal data in accordance with the Company's instructions and the applicable law and shall require the implementation of appropriate personal data security measures. The Company will also ensure that such persons are bound by confidentiality obligations and will not use such information for any purpose other than to the extent necessary for the performance of their assigned functions.
7. All employees, agents and representatives of the Company who become aware of personal data shall be obliged to protect it even after the termination of their employment or contractual relationship.
8. The Company shall take a responsible approach to the processing of personal data and shall make all reasonable efforts to ensure the security, integrity and confidentiality of personal data and other information processed by the Company.
11. Personal data ("personal data") means any information relating to a natural person whose identity has been or may be established, where such identification can be made directly or indirectly (by obtaining data from other sources).This may include your name, surname, email address, telephone number, address or other data on the basis of which you can be identified.
12. Data recipient - a legal or natural person to whom personal data is provided.
13. Data Subject - a natural person from whom the Company receives and processes personal data.
14. Data Processor - a natural or legal person who processes personal data on behalf of the Data Controller.
15. Provision of data - disclosure of personal data by transmitting or otherwise making it available to the recipient(s).
16. Processing means any operation or sequence of operations which is performed upon personal data, whether or not by automated means; such operations may include collection, recording, sorting, organisation, storage, adaptation or alteration, retrieval, access, use, disclosure by transmission, dissemination, or any other operation upon the data.
17. Consent means any freely given, specific and unambiguous indication of the data subject's wishes, given freely by a duly informed person, by means of a statement or an unambiguous action, by which he or she consents to the processing of personal data concerning him or her.
Basis of data processing, data protection principles and level of security:
19. The basis for processing your personal data may be:
19.1. your consent;
19.2. the intention to purchase or the purchase (including by email), delivery and receipt of related services of products manufactured and distributed by the Company for the purpose of entering into (intention to enter into), performance and control of an oral or written contract;
19.3. on a basis specified by law (for example, to comply with any obligation imposed by law or to comply with legal process or other requirements relating to dispute resolution);
19.4. the legitimate interest of the Company (for example, in bringing and defending legal claims and taking other lawful steps to avoid or minimise losses, to improve the quality of service, to ensure the consistency and sustainability of the Company's business, to meet your expectations and to maximise your satisfaction with the Company's performance).
20. The Company shall comply with the following principles when collecting and using personal data entrusted to it by you, as well as personal data received from other sources:
20.1. your personal data shall be processed in a lawful, fair and transparent manner (the principle of lawfulness, fairness and transparency);
20.2. your personal data is collected for specified, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes (purpose limitation principle);
20.3. your personal data is adequate, relevant and only necessary for the purposes for which it is processed (principle of data minimisation);
20.4. the personal data processed is accurate and, where necessary, kept up to date (principle of accuracy). By submitting your personal data, you confirm that it is accurate and correct;
20.5. your personal data are kept in a form which permits identification for no longer than is necessary for the purposes for which your personal data are processed (principle of limitation of storage time);
20.6. your personal data are processed in such a way as to ensure, by appropriate technical or organisational measures, adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (principle of integrity and confidentiality).
20.7 The Company must be able to demonstrate that the processing of your personal data complies with all of the above principles (accountability principle).
21. The Company is concerned about the security of your personal data. The Company uses various security technologies and procedures to protect your personal information from unauthorised access, use or disclosure.
22. What data do we collect about you?
23. The primary purpose for which the Company collects your personal data is to sell and distribute the Company's products, to deliver them, to arrange payment for purchases, to attract partners, to make bonus payments to partners from whom you may purchase products, or to become a partner yourself. In other words, for the purpose of concluding (intending to conclude), performing and controlling oral or written contracts.
23.1 For this purpose, the following personal data may be processed: name, surname, personal identification number or date of birth, address, email address, telephone number, username, the name of the partner you have chosen (assigned to you) (who has encouraged you to become a partner, or if you have purchased through a partnership link which registers you in the system by default), the amounts of the bonuses paid out, the periods of time, the names, surnames, titles, telephone numbers, email address, IP address of the representatives. In the case of a contract with a legal person, the following data may be processed: name, surname, job title, position, email address, telephone number of the director or other authorised representative to act on behalf of the data subject, details of the members of the board of directors, shareholders (only if and to the extent that the consent of these governing bodies is required for the transaction to be concluded and to the extent that it is necessary to ascertain that such consent has been obtained), a copy of the authorisation. Other personal data provided by the data subject himself/herself shall also be obtained;
23.2. Data retention period: personal data shall be stored in the active database for the duration of the contract, i.e. from the moment of receipt of the data until the moment of performance of the contract. Accordingly, personal data shall be stored in the passive database for the specified purpose for a period of 10 (ten) years from the date of execution of the contract. Upon expiry of the retention period provided for in this point, the personal data shall be destroyed, i.e. deleted from the active database upon completion of the contract, and deleted from the passive database for personal data older than 10 (ten) years. Where available, paper or other tangible versions of documents shall be destroyed. In the event that the Company decides not to enter into a contract after receiving the data, the data will be stored in the active database for 1 (one) year from the moment of receipt;
23.3. data providers: the data is collected directly from the data subject (by you (or personal data provided on your behalf), by legal persons where you are a representative, employee, contractor, founder, shareholder, participant, owner, etc. of these legal persons, or collected by the Company itself on lawful grounds. The Company may supplement the personal data provided directly by you with personal data obtained from other sources in the performance of contracts;
23.4. groups of data recipients: employees of the Company responsible for the performance of the contract, intermediaries used by the Company, partners (who have invited/registered the client (data subject) or the data subject has identified himself/herself to a specific partner), credit, financial, payment and/or electronic money institutions, lawyers, legal counsel;
23.5. data may only be provided to third countries (outside the territory of the European Union) if the circumstances of the conclusion and/or performance of the contract are related to the third country. In this case, the Company shall carry out all the steps provided for in the General Data Protection Regulation.
24. The Company collects personal data for the purpose of using the Website:
23.2 Data retention period: personal data shall be stored in the active database for the duration of the contract, i.e. from the moment of receipt of the data until the moment of performance of the contract. Accordingly, personal data shall be stored in the passive database for the purpose specified for a period of 10 (ten) years, starting from the date of performance of the contract. Upon expiry of the retention period provided for in this point, the personal data shall be destroyed, i.e. deleted from the active database upon completion of the contract, and deleted from the passive database for personal data older than 10 (ten) years. Where available, paper or other tangible versions of documents shall be destroyed. In the event that the Company decides not to enter into a contract after receiving the data, the data will be stored in the active database for 1 (one) year from the moment of receipt;
24.3 Data Providers: you, when you visit the Website, post content, events, articles, participate in contests, post photos, videos, audio recordings, comments on the Company's social networks;
24.4.Groups of data recipients: the Company's employees responsible for IT maintenance, service providers who administer the Website;
24.5 Data may be provided to third countries (outside the territory of the European Union) only if the circumstances of the conclusion and/or performance of the contract are related to the third country. In this case, the Company shall carry out all the steps provided for in the General Data Protection Regulation.
25. The Company may process your personal data for the purpose of debt management. Personal data for this purpose is processed for the purpose of managing and recovering debts, making claims, demands, lawsuits and other documents, and submitting documents for the purpose of debt collection.
25.1. The following personal data may be processed for this purpose: name, surname, personal identification number, address, e-mail address, telephone number, current account number, bank details, amount of the debt, accrued interest, applicable penalties, date of referral for recovery, amount of the debts written off (parts of debts), date of writing off, details of the customer's financial obligations (number, dates, types of contracts in force, credit limit, account overdraft, credit utilised, interest, total financial commitments per month, instalments due, method of payment, maturity of financial commitments, maturity of delinquencies, number of delinquencies, amounts of overdue payments, amounts, number of overdue instalments, types of rejected applications, amounts of rejected applications, amount of credit, dates of granting and repayment, cost of services, interest)
25.2. Data retention period: a retention period of 10 (ten) years from the date of conclusion of the contract/debt shall apply, and in the event of legal proceedings, the retention period shall be extended until the repayment of the debt and for a period of 2 (two) years after the repayment. The retention period shall be based on the limitation periods for legal action laid down in the Civil Code of the Republic of Lithuania;
25.3. Data providers: directly from the data subject, the State Enterprise Centre of Registers, companies processing joint debtors' data files (for example, UAB Creditinfo Lietuva) and other institutions;
25.4. groups of data recipients: companies processing joint debtors' data files, lawyers, courts, arbitrators, other dispute resolution bodies, bailiffs, law enforcement agencies, debt management and collection companies, other entities with legitimate interests;
25.5. data may only be provided to third countries (outside the territory of the European Union) if the circumstances of the debt are related to the third country. In this case, the Company shall carry out all the steps provided for in the General Data Protection Regulation;
25.6 Please note that in the event of your indebtedness and if you are in arrears for more than 30 (thirty) days, the Company has the right to provide the available information on your identity, contact details and credit history, i.e. financial and property obligations and their fulfilment, debts and their payment to the companies that manage databases of debtors (for example, the credit bureau UAB Creditinfo Lietuva operating in Lithuania. UAB "Creditinfo Lietuva", company code: 111689163, address: 40A A. Goštauto g., LT-01112 Vilnius, Lithuania, tel.: 8 5 2394131, website: www.manocreditinfo.lt, which processes and provides Personal Data to third parties (financial institutions, telecommunication companies, insurance, electricity and utility providers, trading companies, etc.) for the purpose of assessing the creditworthiness of creditors and debt management in order to pursue its legitimate interests and objectives. Credit history data is normally kept for a period of 10 (ten) years after the fulfilment of obligations. You can access your credit history by contacting the credit bureau directly).
26. The Company may process your data for the purpose of ensuring the security of persons and property (in order to ensure the safety of the Company's employees, customers, persons accompanying them and other persons coming to the Company against criminal offences or other infringements of their rights, to protect the Company's property against unauthorised appropriation or damage by the employees or other persons), and for the purpose of implementing the requirements specified in the legislation - by means of image monitoring of the Company's property.
26.1 The following personal data may be processed for this purpose: image data. Video surveillance systems do not use facial recognition and/or analysis technologies, the video data captured by them is not grouped or profiled according to a specific data subject (person), nor is it audio recorded;
26.2. Data retention period: video recordings shall be kept for 14 (fourteen) days from the moment of recording (until the end of the investigation in the event of an infringement). After the expiry of this period, new video data shall be automatically overwritten;
26.3. data providers: persons entering the surveillance field of the Company's cameras;
26.4. groups of data recipients: the Company's employees, the content of the right to monitor the image and the responsible employees of the company providing security services (if any). The video recordings may also be submitted to a pre-trial investigation body, a prosecutor or a court in connection with administrative, civil, criminal cases in their possession, as evidence or in other cases provided by law;
26.5. Data shall not be transferred to third countries (outside the territory of the European Union).
27. The Company may process candidates' data for the purpose of internal administration, and in particular for the purpose of recruitment for vacancies, as specified in the Company's Personal Data Processing Rules.
27.1. The following personal data may be processed for this purpose: Name, surname, date of birth, residential address, e-mail address, telephone number, education (information on the educational institution, period of education, education and/or qualifications acquired), professional experience (information on the employer, period of employment, duties, responsibilities and/or achievements), details of further training (training attended, certificates obtained), information on language skills, information technology, driving skills, other competences, contact details of persons recommending the candidate or providing references and/or content of the reference (if applicable). The Company may also collect other information, such as checking social networks (Facebook, Instagram, LinkedIn, etc.), but only if it is necessary to view the candidate's information on social media, for example, in order to be able to assess a specific competency, skill, technique in relation to the candidates for a specific position;
27.2 Data retention period: for candidates whose CVs have been received, as well as references from former employers (if any), but who have not been hired, the CVs and references from former employers shall be erased and/or destroyed after the end of the recruitment process, unless the Company has obtained the candidate's consent to process his/her personal data for a longer period of time in order to be able to offer the position at a later date. In this case, the data subject's data shall be stored on the Company's server for a maximum of 2 (two) years from the date of receipt. After this period, CVs shall be deleted from all the Company's electronic systems and paper or other tangible copies destroyed. If a request is received from a candidate who has submitted a CV to destroy his/her CV submitted to the Company at an earlier date, the Company's Personnel Officer must coordinate the execution of such request and inform the addressee thereof within a maximum of three (3) working days. Longer retention of personal data may be carried out when the personal data is necessary in the event of a dispute/complaint or on other grounds provided for by law. Upon recruitment to the position for which the CV was sent, the CV of the recruited person (together with a reference from the former employer, if any) shall be added to the personal file and kept for as long as the employee works for the Company;
27.3. data providers: directly from the data subject (job applicant), recruitment agencies, job search portals, social networks and other entities providing job search services;
27.4. Groups of recipients: the data are not provided to third parties;
27.5. Data are not transferred to third countries (outside the territory of the European Union).
28. The Company may also, with your consent, process the data for direct marketing purposes, to provide offers, reminders about the goods produced or distributed by the Company, and cooperation opportunities offered. By granting us the right to process your data for direct marketing purposes, you also grant us permission to contact you for this purpose by means of communication (e.g. by email, telephone, SMS or other means of communication (using social networks or chat applications such as Viber, Skype, WhatsApp, Signal, Telegram, etc.). If you have become a partner, we may also send you offers, product information and marketing tools that we think may be of interest to you by mail. Notwithstanding the fact that we need to send you some material because of your affiliate status, you may opt-out of receiving some promotional communications from the Company. If you opt out of receiving certain promotional communications, we will respect your wishes, to the fullest extent possible, and will continue to enforce the agreements we have entered into with you in connection with your affiliate status. We will continue to send you communications about our services. It may also be necessary for us to collect your information in order to maintain documentation, enforce the terms of the contract, perform analyses or other actions required or permitted by law.
28.1 The following personal data may be processed for this purpose: name, surname, email address, mobile phone number, image, video, audio recordings on the Company's website and/or the Company's account on social networks;
28.2. data retention period: 5 (five) years from the moment of receipt of the data or until the date of your separate statement of objection to the processing of data for this purpose. You hereby acknowledge that you have been informed that the above data may be processed for the purpose of direct marketing and that you have the right to object to and refuse the use of your personal data for this purpose at any time by notifying the Company in writing of your objection or refusal to [email protected]. You may also notify your opt-out in the manner indicated in the communications and/or offers received by email (for example, by clicking on the "unsubscribe" link in newsletters or similar). The notice to stop processing personal data must include your name, surname, mobile phone number and email address;
28.3. data providers: directly from the data subject;
28.4. Groups of recipients: data may be transmitted to search engines or social networking systems for this purpose (the possibility to opt-out of processing is provided on the websites of these systems). Data are not provided to other persons;
28.5. Data are not transferred to third countries (outside the European Union).
29. The Company may collect and store correspondence (e.g. correspondence storage) for the purposes of maintaining and administering the relationship with customers and partners, protecting the interests of the customer and the Company, preventing disputes and collecting evidence, checking and ensuring the quality of the services provided:
29.1 For this purpose, the following personal data may be processed: name, surname, date of birth, address, email address, IP address, the content of messages sent, correspondence received or conversation, any information you choose to provide or disclose to us, information about your software, version of your operating system;29.2. data retention period: 6 (six) months from the end of the business relationship. The retention periods may be further extended for a maximum of 1 (one) year in the event of a reasoned order from a competent authority or in the event of a dispute;
29.3. data providers: directly from the data subject himself;
29.4. data recipients: supervisory authorities, lawyers, legal practitioners, courts, pre-trial investigation authorities, other entities with a legitimate interest.
29.5 The data is not provided to third countries, unless the communication is with a person residing in a third country.
31. We may also disclose your information to third parties where required to do so by law, court judgments, rulings or orders, and for other legitimate purposes; in response to lawful requests by public authorities, including for national security and law enforcement purposes; in connection with the sale, transfer, merger, bankruptcy, restructuring, or other reorganization of a business; in order to protect our or third parties' rights, legitimate interests, or property; or in the protection of essential personal interests.
32. The Company endeavours to ensure that all independent service providers to whom your personal data is transferred comply with the Company's instructions as to how they are to process your personal data. The transfer of your personal data shall be governed by the data processing contracts, agreements or terms and conditions that the Company has entered into with the independent service providers. All independent service providers - as data processors - are required to guarantee that they will process your personal data with the same care and diligence as the Company itself, and they are legally liable to you and the Company for any failure to comply with such guarantees. These independent service providers are also required to implement technical and organisational measures to ensure the same level of data protection as the Company when processing personal data. However, the security of transmission of information over the Internet, by e-mail or mobile communications may sometimes not be guaranteed for reasons beyond the Company's control, and you should therefore take care when providing confidential information. We encourage you to set complex passwords on your user account to prevent us or anyone else from gaining access to any sensitive information, the disclosure of which could cause you serious or irreparable harm.
Processing of personal data of minors and special data:
35. In order to purchase the goods produced and distributed by the Company or to use the Company's services, in order to become a partner, a minor must provide his/her representative's (father, mother, guardian(s)) written consent for the processing of his/her personal data, however, the Company does not plan to collect minors' personal data independently. To this end, the Company may ask for your date of birth or age when collecting data about you. If you believe that we may have information about a minor, please contact us. We will delete any information obtained from minors without the consent of a legal representative (unless this is contrary to mandatory legislation).36. We also do not collect information such as political opinions, religious or philosophical beliefs, racial or ethnic origin, health, genetic, biometric data or data relating to sexual orientation ("Special Data"). Please do not provide us with such data and contact us if you believe that we may hold such information. We have the right to delete any information that we believe may constitute Special Data.
Your rights as a data subject:
37. The Company has a legal obligation to ensure that your Personal Data is accurate and up to date. We kindly ask you to assist the Company in fulfilling this obligation and to ensure that you keep us informed of any foreseeable changes in relation to the processing of your personal data by the Company.
38. You may exercise the following rights at any time in relation to the processing of your personal data by the Company:
38.1 Right of access: you have the right to request access to any data that may be considered to be your personal data, including, for example, the right to know whether the Company is processing your personal data, what categories of personal data are being processed, and for what purposes;
38.2 Right to rectification: you have the right to ask the Company to rectify any of your personal data if you believe that it is inaccurate or incomplete;
38.3 Right to object: you have the right to object to the relevant processing of your personal data, including, for example, the processing of your personal data for direct marketing purposes;
38.4 Right to erasure (right to be forgotten): you can also request that your personal data be erased if it is no longer necessary for the purposes for which it was collected, or if you believe that the processing is unlawful or if you believe that the personal data must be erased in order to avoid infringing a legal requirement;
38.5 Right of restriction: you have the right to request that the Company exercise your right to restrict the processing of personal data;
38.6 Right to transfer: where your personal data is processed automatically with your consent or on the basis of a reciprocal contractual relationship, you may request that the Company provide you with such personal data in a structured, commonly used and electronic form. In addition, you may also request that the personal data be transferred to another controller. This can only be done if the technical possibilities exist;
38.7 Right to withdraw consent: where the processing is carried out with your consent, you have the right to withdraw your consent to the processing at any time;
38.9. the right not to be subject to automated evaluation and profiling. If you request a review of a decision based on automated data processing, the Company must carry out a thorough assessment of all relevant data, including the information you have provided.
41. You may submit a request/complaint for access, rectification or objection to the processing of your personal data directly to the Company, i.e., by sending it to the Company by post to the following address: 12, Akmenų g., LT-92347 Klaipėda, Republic of Lithuania, or by email to: [email protected]. In the request/complaint, the person must clearly state his/her name and surname and attach a duly certified copy of his/her personal document or sign the request with an electronic signature.
42. The Company will respond to your request/complaint within 30 (thirty) calendar days from the date of receipt of the request/complaint. In exceptional cases requiring additional time, the Company will have the right to extend the time limit for providing the requested data/responding to the complaint or for dealing with any other requirements set out in your request/complaint, upon notice to you.
43. If your request/complaint is legally justified, the Company will cease the processing of your personal data after examining the request/complaint, except for the cases stipulated by the legislation.
44. If you believe that your personal data is being processed improperly or that the Company has violated your rights as a data subject, you have the right to lodge a complaint with the State Inspectorate for Personal Data Protection (L. Sapiegos g. 17, LT-10312 Vilnius, tel.: 8 5 271 2804, 279 1445, fax: 8 5 261 9494, e-mail: [email protected], website: www.ada.lt) or with any other responsible supervisory authority responsible for the processing of your personal data in your country[U8].
Location of processing of your data:
46. The Company may transfer your personal data outside the European Union in accordance with:
46.1. the European Commission's adequacy decision;
46.2. the standard data protection terms and conditions established by the European Commission;
46.3. the standard data protection terms and conditions drawn up by the authority responsible for the protection of personal data;
46.4. the use of other available safeguards and derogations, if available under the applicable law.
Third party websites:
48. Our business partners are carefully selected and we require them to take appropriate measures to ensure confidentiality and protection of personal data.
49. Regardless of the measures taken to protect your personal information, we cannot guarantee absolute protection.