PRIVACY POLICY

UAB “BALTIJOS PERVEZIMAI"

(Code 141587495)

APPROVED
by Order No. VKT-22/5
of the Director General
of UAB “BALTIJOS PERVEZIMAI"
of 3 January 2022

The purpose of the privacy policy is to inform how the personal data of data subjects are collected and processed, to explain how long they are stored, to whom they are provided, what rights data subjects have and where to apply for their implementation or other issues related to the processing of personal data.

Personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 of the European Union (hereinafter - the Regulation), the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of personal data.

UAB “BALTIJOS PERVEZIMAI" is guided by the following main data processing principles:

• Personal data are collected only for clearly defined and legitimate purposes;
• Personal data are processed only lawfully and fairly;
• Personal data are constantly updated;
• Personal data are stored securely and for no longer than is required by the purposes for which the data are processed or by legislation;
• Personal data are processed only by those employees of the Company who have been granted such a right in accordance with their work functions or by duly authorized data processors.

1. DEFINITIONS

1.1. Data controller - UAB “BALTIJOS PERVEZIMAI" (hereinafter - the Company), legal entity code 141587495, registration address S. Šimkaus str. 13, Klaipėda.

1.2. Data subject - any natural person whose data is processed by the Company. The data controller collects only those data of the data subject that are necessary for the performance of the Company's activities and (or) when visiting, using and browsing the Company's website (hereinafter – the Website). The Company ensures that the personal data collected and processed will be secure and will only be used for the specific purpose.

1.3. Personal data - any information relating directly or indirectly to the data subject whose identity is known or can be established directly or indirectly by reference to the data concerned. Processing of personal data means any operation performed on personal data (including the collection, recording, storage, editing, modification, granting of access, submission of requests, transmission, archiving, etc.).

1.4. Consent - any voluntary and deliberate consent by which the data subject consents to the processing of his or her personal data for a specified purpose.

1.5. Cookies - small pieces of textual information used in the Company's website that are automatically generated while browsing the website and stored on a computer or other device used by the data subject (website visitor). Cookies are used to improve the browsing experience for website visitors, to analyze website traffic and behavior on the website.

2. SOURCES OF PERSONAL DATA

2.1. Personal data are provided by the data subject himself/herself. The data subject applies to the Company, uses the services provided by the Company, sells goods and/or services, leaves comments, asks questions, etc.

2.2. Personal data are obtained when the data subject visits the Company's website. The data subject fills in the forms in it or for some reason leaves his/her contact details and so on.

2.3. Personal data are obtained from other sources. Data are obtained from other institutions or companies, publicly available registers, etc.

3. PROCESSING OF PERSONAL DATA

3.1. By providing personal data to the Company, the data subject agrees that the Company will use the collected data to fulfill its obligations to the data subject in providing the services that the data subject expects.

3.2. The Company processes personal data for the following purposes:

3.2.1. Ensuring the Company's operations and continuity. The following data shall be processed for this purpose:

• For the purpose of concluding and executing contracts, personal data of suppliers (natural persons) may be processed: name(s), surname(s), personal identification code or date of birth, place of residence (address), telephone number, e-mail address, place of work, position, the bank's current account and the bank where the account is located, date, amount, currency of the monetary operation or transaction, other data provided by the person himself/herself, which the Company receives in accordance with legislation in the course of the Company's activities and/or which the Company is obliged to manage by law and and/or other legislation. For example, the data in the business certificate (type of activity, group, code, name, periods of activity, date of issue, amount), the number of the individual activity certificate, the data on whether the data subject is a VAT payer, etc. data necessary for the proper performance of the contract and/or legal obligations.
• Contracts, VAT invoices and other related documents are stored in accordance with the terms specified in the General Documents Storage Index approved by the Order of the Chief Archivist of Lithuania.

3.2.2. Administration of the CV database of job candidates. The following data shall be processed for this purpose:

• Name(s), surname(s), date of birth (age), address of the place of residence, contact details (telephone number, e-mail address), information on the candidate's education (educational institution, period of education, education obtained and/or qualifications), information on professional development (training received, certificates obtained), information on the candidate's work experience (workplace, period of work, position, responsibilities and/or achievements), information on language skills, information technology, driving skills, other competencies, other information you provide on your CV, motivational letter or other application documents, recommendations from employers, feedback: people recommending or providing feedback on the candidate, their contacts, recommendations or the content of the feedback.
• At the end of the selection period and without selecting the data subject and without concluding an employment contract with the data subject, the Company deletes the CVs and other data sent by the candidates, unless the Company has given the candidate consent to process his/her personal data for a longer period. In this case, the data of the data subject shall be stored automatically for 1 (one) year from the date of submission of the data. At the end of the specified term of data processing and storage, the responsible persons of the data controller will destroy the data within 1 (one) calendar week. Prolonged storage of personal data may be carried out when personal data are necessary in the event of a dispute/complaint or on other grounds provided for by law.

3.2.3. Administration of inquiries, comments and complaints. The following data shall be processed for this purpose:

• Name(s) and/or username, e-mail address, subject of the message, comment, feedback or complaint, text of the message, comment, feedback or complaint.
• Data on inquiries, comments and complaints are stored for 1 year from the date of submission.

3.2.4. Direct marketing. The following data shall be processed for this purpose:

• Name(s), surname(s), date of birth, e-mail address, telephone number.
• The data shall be stired for 3 years from the date of receipt of the consent. This term may be extended if personal data is used or may be used as evidence or a source of information in a pre-trial or other investigation, including an investigation conducted by the State Security Administration, in a civil, administrative or criminal case, or in other cases prescribed by law. In that case, personal data may be stored for as long as is necessary for those purposes for the processing and shall be destroyed as soon as they are no longer needed.

3.2.5. For the purpose of ensuring the security of the Company's employees, other data subjects and assets (video surveillance). The following data shall be processed for this purpose:

• Video image. Video surveillance systems do not use facial recognition and/or analysis technologies, and the image data captured by them are not grouped or profiled according to a specific data subject (person). The data subject shall be informed about the video surveillance by means of information signs with the video camera symbol and the Company's details, which shall be provided before entering the monitored area and/or premises. The field of surveillance of video cameras shall not include premises where the data subject expects absolute protection of personal data.
• Personal data (video data) obtained by video surveillance cameras shall be stored for up to 14 (fourteen) calendar days from the moment of their capture, after which they shall be automatically destroyed, unless there is reason to believe that a misdemeanor, criminal offense or other illegal activity has been recorded (until the end of the relevant investigation and/or trial).

3.2.6. For other purposes for which the Company has the right to process the personal data of the data subject, when the data subject has given his/her consent, when the processing is necessary for the legitimate interest of the Company or when the Company is obliged to process the data.

4. USE OF COOKIES

4.1. You can find more information about cookies at AllAboutCookies.org.

4.2. If you do not agree that we use cookies, you have the ability to change your browser settings and control the amount of cookies. Useful links to opt out of cookies can be found below:

• For Chrome browser: https://support.google.com/chrome/answer/95647?hl=en;
• For Firefox browser: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer?redirectlocale=en-US&redirectslug=Cookies;
• For Safari browser: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac;
• For Edge browser: https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy.

5. PROVISION OF PERSONAL DATA

5.1. The Company undertakes to respect the obligation of confidentiality in respect of the data subjects. Personal data may be disclosed to third parties only if this is necessary for the conclusion and performance of a contract for the benefit of the data subject or for other legitimate reasons.

5.2. The Company may provide personal data to its data processors who provide services to the Company and process personal data on behalf of the Company. Data processors have the right to process personal data only in accordance with the Company's instructions and only to the extent necessary for the proper performance of the obligations set out in the contract. The Company shall use only those processors who sufficiently ensure that the appropriate technical and organizational measures are implemented in such a way that the processing complies with the requirements of the Regulation and that the rights of the data subject are protected.

5.3. The Company may also provide personal data in response to requests from a court or public authority to the extent necessary to properly comply with the legislation in force and the instructions of the public authorities.

5.4. The Company guarantees that personal data will not be sold or rented to third parties.

6. PROCESSING OF PERSONAL DATA OF MINORS

6.1. Individuals under the age of 14 may not provide any personal information through the Company's website. If a person is under 14 years of age, in order to use the Company's services, the written consent of one of the representatives (father, mother, guardian) regarding the processing of personal data must be submitted before providing personal information.

7. TERM OF STORAGE OF PERSONAL DATA

7.1. Personal data collected by the Company is stored in printed documents and/or in the Company's information systems. Personal data shall be processed for no longer than is necessary for the purposes of the processing or for no longer than required by the data subjects and/or provided for by legislation.

7.2. Although the data subject may terminate the agreement and waive the Company's services, the Company must continue to retain the data subject's data due to possible future claims or legal claims until the data retention periods expire.

8. RIGHTS OF THE DATA SUBJECT

8.1. Right to obtain information on data processing.

8.2. Right of access to processed data.

8.3. Right to request rectification of data.

8.4. Right to request deletion of data (“Right to be forgotten"). This right shall not apply if the personal data requested to be deleted are also processed on another legal basis, such as processing necessary for the performance of the contract or the fulfillment of an obligation under the applicable law.

8.5. Right to restrict data processing.

8.6. Right to object to data processing.

8.7. Right to data portability. The right to data portability must not adversely affect the rights and freedoms of others. The data subject shall not have the right to data portability in respect of personal data which are processed in non-automated files, such as paper files.

8.8. The right to exclude a solution based solely on automated data processing, including profiling.

8.9. The right to submit a complaint regarding the processing of personal data to the State Data Protection Inspectorate.

9. The Company must enable the data subject to exercise the above rights of the data subject, except in cases prescribed by law when it is necessary to ensure state security or defense, public order, prevention, investigation, detection or prosecution of criminal activities, important state economic or financial interests, prevention, investigation and detection of breaches of official or professional ethics, the protection of the rights and freedoms of the data subject or of others.

10. PROCEDURE FOR EXERCISE OF RIGHTS OF THE DATA SUBJECT

10.1 The data subject may apply to the Company for the exercise of his/her rights:

10.1.1. By submitting a written request in person, by post, through a representative or by electronic means - by e-mail: info@baltic-shipping.lt;

10.1.2. Orally - by phone: +370 46 311951;

10.1.3. In writing to the address: S. Šimkaus str. 13, Klaipėda.

10.2. In order to protect the data from unauthorized disclosure, the Company must verify the identity of the data subject upon receipt of a request from the data subject to provide data or exercise other rights.

10.3. The Company's response to the data subject shall be provided no later than one month from the date of receipt of the data subject's request, taking into account the specific circumstances of the processing of personal data. This period may be extended by a further two months, if necessary, depending on the complexity and number of applications.

11. RESPONSIBILITY OF THE DATA SUBJECT

11.1. The data subject must:

11.1.1. Inform the Company about changes in the information and data provided. It is important for the Company to have correct and valid data subject information;

11.1.2. Provide the necessary information to enable the Company to identify the data subject at the request of the data subject and to ensure that it is in real communication or cooperation with the particular data subject (provide an identity document or by electronic means that allow proper identification of the data subject). This is necessary for the protection of the data subject and other persons so that the information disclosed about the data subject is provided only to the data subject, without prejudice to the rights of other persons.

12. FINAL PROVISIONS

12.1. By providing personal data to the Company, the data subject agrees to this Privacy Policy, understands its provisions and agrees to abide by it.

12.2. The Company reserves the right to unilaterally change this Privacy Policy at any time during the development and improvement of the Company's operations. The Company has the right to unilaterally, partially or completely change the Privacy Policy by notifying the website www.baltic-shipping.lt.

12.3. Additions or changes to the Privacy Policy take effect from the date of their publication, i. e. from the day they are posted on the website www.baltic-shipping.lt.