Approved by the order of the ownwer of Vila Preliudija dated 2021-01-02 No. 21/1
Vila „Preliudija“ shall ensure that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; the data shall not be processed in any manner inconsistent with the said purposes. Vila „Preliudija“ shall apply a number of organisational and technical measures to ensure adequate security of personal data, including protection from unauthorised or illegal processing, as well as from accidental loss, destruction, or damage of such data.
1. KEY TERMS
1.2. Website – the website at http://www.preliudija.com/ , where the guests of Vila „Preliudija“ can book a hotel room(s) and grant their consent to process personal data for direct marketing purposes.
1.4. Data Subject – a hotel guest whose personal data are processed by the Data Controller for the purposes of e-commerce and direct marketing.
1.5. Data Processor – a natural or legal person, which assists the Data Controller, based on authorisation granted, to accomplish the objectives set out.
1.6. Personal Data – any information relating to an identifiable guest of the hotel, processed by the Data Controller, including, but not limited to, full name, e-mail address, telephone etc.
1.7. Data Processing – any operation performed on personal data, such as collection, recording, accumulation, storage, alteration (addition or correction), submission, use, destruction or any other operation (set of operations).
1.8. Direct marketing – any operation directed at offering of goods or services to individuals by mail, phone or any other direct channel, offering special discounts and/or enquire their opinion on the goods or services offered. Approved by the order of the owner of Vila „Preliudija“
dated 2021-01-02 No. 21/1
1.9. Consent – freely made act by the Data Subject that signifies his/her agreement to the processing of personal data.
1.10. Supervisory Authority – the State Data Protection Inspectorate.
2. GENERAL PROVISIONS
2.1. The policy provides for key provisions on collection, accumulation, and processing of
Consent to the processing of his/her Personal Data.
3. PROCEDURE FOR COLLECTION, STORAGE, AND USE OF PERSONAL DATA
3.1. A Data Subject shall, when booking a room at the hotel, signify his/her consent to the processing of the following personal data by the Data Controller:
3.1.1. full name,
3.2.; email address, phone;
3.3. credit card details;
3.4. amount payable;
3.5. duration of stay at the hotel.
3.6. A hotel guest providing his/her personal data confirms these are both precise and complete.
3.7. Personal Data of registered users received for this purpose shall be stored for 2 (two) calendar years after completion of a booking at the hotel.
3.8. Data Subject is informed that, to accomplish the said purpose, the following data processors shall be employed: IT support company and a company in charge of and a company in charge of permanent maintenance of Vila Preliudija programme.
3.9. The Data Controller shall provide the following data to the Statistics Lithuania: number of guests, country of origin of guests, purpose of visit, and duration of stay at the hotel.
3.10. Data Subject, who enters his/her e-mail address on the website, accepts that the Data Controller will, for the purpose of direct marketing process the his/her personal data below:
3.10.1. E-mail address, Approved by the order of the owner of Vila Preliudija dated 2021-01-02 No. 21/1
3.11. Personal Data received for the purposes of Direct Marketing shall be stored for 2 (two) calendar years after submission of such data.
3.12. The Data Controller confirms that the Personal Data shall be collected from the Data Subject directly, and no other sources will be used.
3.13. The Data Controller shall not disclose the Personal Data under processing to the third parties, except:
3.13.1. when Data Subject grants his/her consent for disclosure of personal data,
3.13.2. when executing an order or offering other services – to the Data Processors offering services of delivery of goods or other services so ordered by the client,
3.13.3. law enforcement authorities (when so required by law),
3.13.4. where necessary to prevent or investigate criminal offences.
4. EXERCISE OF RIGHTS BY THE DATA SUBJECT
4.2. Data Subject shall be free to revoke his/her consent for collection, processing, and storage of his/her personal data any time (and in the event the personal data are processed for direct marketing purposes, no additional grounds shall be required) by contacting the Data Processor in writing as follows: 1) by logging to the website account; 2) in the event of direct marketing – by clicking a link contained in each e-mail (newsletter); 3) by mail or personal delivery at: Kepeju g.7, LT-03118 Klaipeda, Lietuva, 4) by e-mail address at: firstname.lastname@example.org from the same e-mail address as was provided at the time of registration. The Data Controller shall, upon receipt of such a request by the Data Subject, suspend processing of personal data immediately, and destroy relevant Personal Data. The Data Controller shall be free to refuse deleting personal data from the server if there is a legitimate reason to store these, in particular, in the interests of national security and defence, public order, crime prevention, investigation, discovery or prosecution, in order to secure vital national economic or financial interests, and protection of rights and liberties of other people.
4.3. A Data Subject shall, upon adequate identification, and upon production, to the Data Controller, of a personal identity document (or a notarised copy) to be used for identification only (and shall not be stored), be free to access his/her personal data based on a written application addressed to the Data Controller as follows: by mail or
personally at the following address: Kepeju g.. 7, LT-03118 Klaipeda, Lietuva. Approved by the order of the ownerVila Preliudija dated 2021-01-02 No. 21/02
4.4. A third party, wishing to access Personal Data of a Data Subject, shall be required to produce a notarised power of attorney; Personal Data shall be disclosed to an attorney upon production of a representation agreement, and upon indication of purpose of data use.
4.5. The Data Controller shall, upon receipt of a request by a Data Subject to access his/her personal data processed, respond within 30 (thirty) calendar days after receipt of relevant enquiry. Such an answer shall indicate whether the Personal Data of a Data Subject are currently processed, and if so, the nature and recipients of such data within 1 (one) calendar year. Such an answer shall be provided free of charge.
4.6. In the event the Data Subject, having accessed his/her Personal Data, finds that his/her Personal Data have been collected or received from illegal sources, or that the data are currently processed for different purposes than listed in the consent, he/she may then contact the Data Controller by e-mail seeking suspension processing of such Personal Data and/or deletion of his/her Personal Data. Where the Data Controller finds a request by Data Subject valid, it shall execute a request by a Data Subject immediately, within 5 business days, and inform of any actions so taken in writing.
4.7. In the event the Data Subject, having accessed his/her Personal Data, finds them not precise or incomplete, he/she may then, upon adequate identification, apply in writing seeking correction and/or supplement of his/her Personal Data. Where the Data Controller finds an application valid, it shall correct or supplement the Personal Data immediately, within 5 business days, and inform of any actions so taken in writing.
4.8. A Data Subject may request the Data Controller to “forget” him/her, i.e. request to have all of his/her Personal Data deleted, unless, however, such data are required for the purposes they were collected and processed, or unless the Data Subject withdraws his/her consent, or unless the data are processed in breach of legal requirements. The Data Controller shall execute such a valid request and shall inform the Data Subject of steps taken immediately, within 5 business days.
4.9. Where a Data Subject believes his/her legitimate interests were breached in course of processing of his/her Personal Data, he/she shall be free to contact the Supervisory Authority.
5. RISK FACTORS OF BREACH OF PERSONAL DATA PROTECTION AND
METHODS TO RESOLVE THESE
5.1. To ensure protection of Personal Data, the Data Controller shall implement the following organisational and technical personal data protection measures:
5.1.1. Organizational measures
126.96.36.199. The Data Controller shall operate according to procedures so as to ensure secure processing and/or transfer of digital data and/or documents and their archives.
188.8.131.52.Access to the Personal Data of the Data Subject shall only be granted to those employees when so required to carry out their official functions, and only subject to confidentiality agreements, provided the employees have been introduced to other rules of procedure concerning data processing.
5.1.2. Technical measures
184.108.40.206. Data processors (service providers) appointed by the Data Controller shall act upon authorisation of the Data Controller only.
220.127.116.11. Personal data shall be protected from loss, unauthorised use and change. Internet connection shall be encoded, while webpage shall function via https:// protocol.
18.104.22.168. Hardware shall be protected from malware (e.g. installation and update of anti-virus software), while internal network shall be protected with a firewall.
6.1. http://www.preliudija.com/ website shall include cookies; they shall be used for statistical purposes, to assess the visiting rate of the website and popularity of specific content. Such processing of data does not allow for personal authentification of a website visitor, directly or otherwise.
|6.2. A website visitor can either delete cookies from his/her PC, or have them blocked on his/her browser; this may make certain functions of the website unavailable (or disrupt their functioning).|
Description/Purpose of use
|PHPSESSID||The standard cookie is used to support the user session. Required cookie||At the time of entering the page||Until the closing of the website window||Unique identifier|
|_ga||These cookies are used to collect statistical information about website traffic. The resulting data is used to generate reports and to refine the page.||At the time of entering the page||2 years||Unique identifier|
|_gid||These cookies are used to collect statistical information about website traffic. The resulting data is used to generate reports and to refine the page.||At the time of entering the page||24 hours||Unique identifier|
|_gat||Used to set new sessions / visits||At the time of entering the page||10 minutes||Unique identifier|
7. FINAL PROVISIONS
© 2021. Vila Preliudija, Kepeju str. 7, Klaipeda LT-91247 Lithuania, +370 46 31 00 77 |