Privacy policy

1. Purpose of the policy, main concepts

1.1. This Privacy Policy (hereinafter – the Policy) UAB “Garbaris”, i.k. 145229570, (hereinafter – the Company) recognizes theimportance of personal data protection for the Company’s customers and other data subjects and undertakes to respect and protect the privacy of each data subject. Data subjects entrust the Company with their personal information and the Company is responsible for ensuring that the data subjects’ trust is justified. The policy defines the Company’s commitment and responsibility in order to protect and respect personal privacy, the actions of the Company and its employees when processing personal data, using the personal data processing tools installed in the Company, and also determines the rights of data subjects and the procedure for their implementation, personal data protection implementation measures and other issues related to personal data protection.

1.2. The main concepts used in the Policy:

1.2.1. data subject – a natural person whose data the Company processes;

1.2.2. personal data – any information related to a natural person – a data subject whose identity is known or can be directly or indirectly determined using data such as a personal code, one or more physical, physiological, psychological, economic, cultural or social characteristics characteristic of a person signs;

1.2.3. processing of personal data – any action performed with personal data: collection, recording, accumulation, storage, classification, grouping, connection, change (addition or correction), provision, publication, use, logical and/or arithmetic operations, search, dissemination , destruction or other action or set of actions;

1.2.4. consent of the data subject – any freely given, specific and unambiguous expression of the will of a duly informed data subject by means of a statement or unambiguous actions by which he agrees to the processing of personal data related to him, for example, written, including by electronic means, or oral statement. Silence, pre-checked boxes or inaction do not constitute consent;

1.2.5. data controller – a legal or natural person who, alone or together with others, determines the purposes and measures of personal data processing. In this Policy, the Company is considered a data controller;

1.2.6. data processor – a legal or natural person (who is not an employee of the data controller) authorized by the data controller to process personal data;

1.2.7. employee – a person who has entered into an employment or similar contract with the Company;

1.2.8. supervisory authority – State Data Protection Inspectorate;

1.2.9. direct marketing – activities aimed at offering goods or services to individuals by mail, telephone or other direct means and/or asking for their opinion on the offered goods or services;

1.2.10. The company’s website – www.garbaris.lt;

1.2.11. General Data Protection Regulation – 2016 April 27 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);

1.2.12. customer – a natural person aged 16 or older who buys or plans to buy goods sold by the Company and for that purpose has submitted his personal data to the Company;

1.2.13. other terms used in the Rules correspond to the terms stipulated in the General Data Protection Regulation and the Law on Legal Protection of Personal Data of the Republic of Lithuania.

1.3. This Policy aims to facilitate the exercise of data subjects’ rights.

1.4. This Policy applies to the processing of personal data of employees to the extent that it is not regulated by the Personal Data Processing Rules approved by order of the Company Director. This Policy is also applicable to the protection of personal data of other data subjects (ie, non-customers and non-employees) whose personal data the Company processes or will process in the future.

1.5. The personal data processed by the company must be accurate, appropriate and only to the extent necessary for their collection and further processing. If necessary for the processing of personal data, personal data are constantly updated.

1.6. Persons aged 16 or older have the right to create an account on the Company’s website and submit their personal data for processing through the Company’s website.

1.7. Clause 1.6 of this Policy provides for the possibility to submit their personal data for processing through the Company’s website only to persons aged 16 or older, as children need special protection of their personal data, as they may not be sufficiently aware of the risks, consequences or protective measures related to the processing of personal data and their rights , create an account on the Company’s website.

1.8. UAB “myWorld Lithuania”, whose loyalty partner is the Company, provides that persons over 14 years of age can register and participate in the Cashback World Program managed by UAB “myWorld Lithuania”, but prior to reaching adulthood, it is necessary to obtain the written consent of the legal representative. Accordingly, persons who have reached the age of 14 can fill out a paper form at the Company’s point of sale for a UAB “myWorld Lithuania” loyalty card issued by the Company. However, a minor intending to fill out the form must come with his legal representative, who, after presenting a document confirming his right of representation, submits his written consent as a legal representative to fill in the form and process the minor’s personal data for the purposes of issuing and using the loyalty card.

1.9. Personal data of customers are collected for the purposes of concluding and executing sales contracts for goods sold by the Company on the Internet (for processing and administration of the purchase (order) of goods), for customer identification in the Company’s information system, for customer identification when logging in to their account on the Company’s website, for issuing invoices and other financial documents, and also for direct marketing purposes.

1.10. The company processes the following personal data for the purposes specified in point 1.9 of the Policy: name, surname, e-mail address, telephone number, postal address, bank account data, data on the buyer’s behavior and purchased purchases.

1.11. 1.9. The legal basis for the processing of personal data referred to in point is the Company’s obligation to fulfill the contract concluded with the data subject and/or to take steps to conclude the contract at the request (order) of the personal data subject.

1.13. The company processes the following personal data for the purposes of implementing the loyalty program specified in point 1.12 of the Policy: country, language, gender, first name, last name, date of birth, mobile phone number, e-mail address, name, surname, mobile phone number, e-mail address of legal representatives of minors, basis of representation.

1.14. The legal basis for processing the data referred to in point 1.12 is the consent of the data subject.

1.15. The company processes the following personal data of customers for direct marketing purposes: first name, last name, e-mail address, phone number.

1.16. The legal basis for processing the data referred to in point 1.15 is the consent of the data subject.

1.17. When personal data is processed for the purposes of loyalty program implementation and direct marketing specified in point 1.12 and/or 1.15, the data subject has the right to object to such processing of personal data free of charge at any time, insofar as the processing is related to these purposes, by revoking his consent.

1.18. The processing of personal data is governed by the General Data Protection Regulation, the Law on Legal Protection of Personal Data of the Republic of Lithuania, other legal acts regulating the processing of personal data.

2. Processing of personal data

2.1. Only employees have the right to process customer personal data in the Company, including their transfer to third parties provided for in point 2.2 of the Policy. Every employee must keep the client’s personal data confidential and comply with the personal data protection legislation and the requirements of these Rules.

2.2. During the execution of purchase and sale contracts for goods sold by the Company online, the personal data of the Customers may be disclosed only to the Company’s partners, acting on behalf of the Company as data processors, who provide delivery of parcels and other services related to the execution of the goods purchase and sale contract (personal data is disclosed only to the extent as much as is necessary for the provision of relevant services). Customers who fill out paper questionnaires for UAB “myWorld Lithuania” loyalty card issued by the Company at the Company’s point of sale, the personal data provided in the completed questionnaires are transferred to UAB “myWorld Lithuania” in electronic form. After customers order Amway products in the Company’s online store, the order with the relevant personal data is transferred to Amway Polska Sp. z o. o., to the representative office of Alticor Corporation, representing the aforementioned company in Lithuania. Clients’ personal data can only be provided to those data processors with whom the Company has signed contracts, which contain provisions on the transfer/provision of personal data, and if the data processor ensures the protection of transferred personal data required by the General Data Protection Regulation. In all other cases, the personal data of customers may be disclosed to third parties only in the cases and according to the procedure established by the legal acts of the Republic of Lithuania.

2.3. Customers who fill out paper questionnaires for UAB “myWorld Lithuania” loyalty card issued by the Company at the Company’s point of sale, the completed questionnaires with the personal data provided in them are stored in the Company, in a locked cabinet/drawer, and only the Company’s director has the right to manage and access them or his specially authorized employee of the Company. All other personal data of customers are collected and stored in electronic form, automatically. If a paper order form is printed for the execution of the customer’s order submitted on the Company’s website, it must be destroyed immediately after the order is fulfilled, and the employee who completed the order is responsible for this.

2.4. Employees adhere to the principle of confidentiality and keep secret any information related to personal data that they have become familiar with in the performance of their duties, unless such information is made public in accordance with the provisions of applicable laws or other legal acts. The obligation to keep personal data secret also applies after moving to another position, ending the employment or contractual relationship. In performing the duties provided for in this point, employees must:

2.4.1. not disclose, transfer or condition by any means to get acquainted with the personal data of customers to any person who is not authorized to process personal data;

2.4.2. immediately notify the Director of the Company of any situation threatening the security of personal data.

2.5. Term of personal data processing: personal data are processed until they are no longer necessary for the purposes of their processing:

2.5.1. personal data of customers are collected and processed for the purposes of concluding and executing sales contracts for goods sold online by the Company (clause 1.9) and are stored for no longer than 5 (five) years from the last order placed through the Company’s website;

2.5.2. personal data are processed for the purposes of implementing the loyalty program specified in point 1.12, are processed no longer than until the withdrawal of consent to participate in the loyalty program, or until the end of the loyalty program;

2.5.3. the personal data of customers are processed for the purposes of direct marketing specified in point 1.15, they are processed no longer than until the cancellation (cancellation) of the consent to receive advertising.

2.6. When personal data are no longer needed for the purposes of their processing, they are destroyed, except for those that must be transferred to state archives in cases established by law.

2.7. The protection of personal data is organized, ensured and carried out by the head of the Company.

3. Rights of the data subject and the procedure for their implementation

3.1. Rights of the data subject:

3.1.1. to know (be informed) about the processing of your personal data in the Company;

3.1.2. get familiar with your personal data processed by the Company and how they are processed;

3.1.3. do not consent to the processing of his personal data;

3.1.4. demand correction, clarification or addition of incorrect or incomplete personal data, destruction of personal data or suspension, except for storage, of processing of personal data;

3.1.5. request deletion of data (“right to be forgotten”). This right applies on one of the following grounds:

3.1.5.1. personal data are no longer necessary to achieve the purposes for which these data were collected or otherwise processed;

3.1.5.2. the data subject withdraws the consent on which the data processing was based and there is no other legal basis for processing the data;

3.1.5.3. personal data were processed illegally;

3.1.5.4. personal data must be deleted in accordance with a legal obligation established by European Union or national law;

3.1.6. the right to data portability: the data subject has the right to receive the personal data relating to him, which he has provided to the data controller, in a structured, commonly used and computer-readable format, and has the right to forward that data to another data controller, and the data controller to whom the personal data has been provided , must not create obstacles to it when:

3.1.6.1. data processing is based on consent or contract;

3.1.6.2. data is processed by automated means.

3.2. The data subject has the right to submit a complaint to the supervisory authority regarding possible illegal processing of his personal data.

3.3. The data subject has the right to authorize a non-profit institution, organization or association, which is duly established in accordance with the law of the Republic of Lithuania and whose goals set by the statutes are in the public interest, which operates in the field of protection of the rights and freedoms of the data subject, as far as the protection of their personal data is concerned, on his behalf file a complaint and exercise on his behalf certain rights provided for in the General Data Protection Regulation

3.4. The procedure for implementing the rights of the data subject:

3.4.1. in order to exercise the rights specified in point 3.1, the person must submit a written request to the Company (in person, by post, through a representative, or by means of electronic communications). The request must be legible, signed by the person, the request must include: the person’s name, surname, place of residence, contact details and information about which of the above-mentioned rights and to what extent he wishes to exercise them;

3.4.2. when submitting an application, a person must confirm his identity:

3.4.2.1. if the application is submitted directly upon arrival at the Company – submit a document confirming the identity of the person or a copy certified in the manner established by the legal acts of the Republic of Lithuania;

3.4.2.2. if the request is submitted by mail – submit a copy of the personal identity document approved in accordance with the procedure established by the legal acts of the Republic of Lithuania;

3.4.2.3. if the request is submitted through a representative – submit a document confirming the representation;

3.4.2.4. if the request is submitted by means of electronic communication, sign with an electronic signature;

3.4.3. the data subject’s right to object to his personal data being processed for direct marketing purposes is exercised after the data subject informs the Company of his objection by e-mail or telephone and provides information about all his accounts created on the Company’s website;

3.4.4. if the data subject has his own account on the Company’s website, he can view and edit the personal informationprovided on the Company’s website and his contact details by visiting his in the account. Through his account on the Company’s website, the data subject can exercise his right to object to the processing of his personal data for direct marketing purposes.

3.5. The requests specified in point 3.4.1 of this Policy are examined by the Director of the Company. The request is examined and the answer is provided to the person no later than within 30 days from the date of receipt of the request.

3.6. When submitting requests under 3.4.1. point, the data subject should not obviously abuse his rights. In the event that the data subject abuses his right (for example, applies to the Company for information about his personal data processed more than once in six months), the Company has the right to demand from the data subject reimbursement of administrative costs related to the execution of such requests.

3.7. The objection of the data subject to the processing of his personal data for direct marketing purposes shall be responded to immediately, in the shortest possible time. Company employees responsible for computer maintenance must ensure that personal data is not further processed for direct marketing purposes.

4. Cookies and their use

4.1. Part of the information is collected automatically when the data subject visits the Company’s website, as the Internet Protocol address of the data subject must be recognized by the Company’s server.

4.2. The company’s website also uses data analysis management tools – cookies.

4.3. By using the Company’s website, the data subject agrees that the cookies used on this website will be saved on the data subject’s computer (device). Every time you visit the Company’s website, by changing the settings of your Internet browser accordingly, the data subject can accept or refuse the use of cookies, but in this case, the Company cannot guarantee the quality of browsing the website.

5. Security of personal data

5.1. The company implements organizational and technical measures to protect personal data from accidental or illegal destruction, alteration, disclosure, as well as from any other illegal processing.

5.2. If personal data security violations are detected, the Company removes them immediately.

5.3. The employees of the company adhere to the principle of confidentiality, as stipulated in point 2.4 of the Policy.

5.4. Anti-virus software must be kept up-to-date on company computers.

5.5. In the event of a breach of personal data security, the Company shall notify the supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the breach of personal data security, unless the breach of personal data security should not endanger the rights and freedoms of natural persons. If the supervisory authority is not notified of a breach of personal data security within 72 hours, the reasons for the delay shall be attached to the notification.

5.6. When the rights and freedoms of data natural persons may be seriously endangered due to a breach of personal data security, the Company shall immediately notify the data subject of the breach of personal data security without undue delay.

6. Liability

6.1. The data subject must provide the Company with complete and correct personal data of the data subject and inform about relevant changes in personal data.

6.2. The Company cannot fully guarantee that the functioning of the Company’s website will be uninterrupted and that it will be completely protected from viruses. In no case does the Company assume responsibility for direct or indirect losses related to the use of materials and documents available on the Company’s website. The data subject is informed that any material that the data subject reads, downloads or otherwise receives using the Company’s website is obtained exclusively at the discretion and risk of the data subject, therefore it is the data subject who is responsible for the damage caused to the data subject himself or his computer system.

6.3. The data subject who has his account on the Company’s website must ensure the security of his login data. The company is not responsible for the damage suffered by the data subject due to improper implementation of the obligation provided for in this point.

6.4. Unless otherwise stated, the intellectual property rights (including copyright) to the content and information on the Company’s website belong to the Company. It is prohibited to reproduce, translate, adapt or in any other way use any part of the Company’s website without the prior written consent of the Company. It is prohibited to perform any other actions that violate or may violate the Company’s intellectual property rights to the website, as well as that are contrary to fair competition.

7. Final Provisions

7.1. This Policy is updated at least once every two years or when the legal acts governing the protection of personal data change.

7.2. The policy is published publicly on the Company’s website. Companies customers are introduced to this Policy by electronic means.

7.3. Employees are familiarized with the Policy in a signed form.

7.4. The company has the right to partially or completely change this Policy. Data subjects are informed of the changes in accordance with the procedure set out in clauses 7.2-7.3 of the Policy.

7.5. Data subjects can contact the Company’s employees with any questions related to this Policy, through the contacts indicated on the Company’s website.